Issues/single logout

DotNetCasClient/CasAuthentication.cs

@@ -737,13 +737,22 @@ internal static void ProcessSingleSignOutRequest()
 
             protoLogger.Debug("Examining request for single sign-out signature");
 
-            if (request.HttpMethod == "POST" && request.Form["logoutRequest"] != null)
+#if NET45
+            if (request.HttpMethod == "POST" && request.Unvalidated.Form["logoutRequest"] != null)
+#else
+            if (request.HttpMethod == "POST" && RequestEvaluator.GetLogoutRequestBody(request) != null)
+#endif
+
             {
                 protoLogger.Debug("Attempting to get CAS service ticket from request");
                 // TODO: Should we be checking to make sure that this special POST is coming from a trusted source?
                 //       It would be tricky to do this by IP address because there might be a white list or something.
-
-                string casTicket = ExtractSingleSignOutTicketFromSamlResponse(request.Params["logoutRequest"]);
+#if NET45
+                string casTicket = ExtractSingleSignOutTicketFromSamlResponse(request.Unvalidated.Form["logoutRequest"]);
+#else
+                string casTicket = ExtractSingleSignOutTicketFromSamlResponse(RequestEvaluator.GetLogoutRequestBody(request));
+#endif
+
                 if (!String.IsNullOrEmpty(casTicket))
                 {
                     protoLogger.Info("Processing single sign-out request for " + casTicket);

DotNetCasClient/Utils/RequestEvaluator.cs

@@ -19,6 +19,7 @@
 
 using System;
 using System.Globalization;
+using System.IO;
 using System.Web;
 
 namespace DotNetCasClient.Utils
@@ -29,6 +30,8 @@ namespace DotNetCasClient.Utils
     /// <author>Scott Holodak</author>
     internal static class RequestEvaluator
     {
+        private const string LOGOUT_REQUEST_KEY = "logoutRequest";
+
         /// <summary>
         /// Determines whether the request has a CAS ticket in the URL
         /// </summary>
@@ -271,7 +274,12 @@ internal static bool GetRequestIsCasSingleSignOut()
             HttpRequest request = context.Request;
 
             bool requestIsFormPost = (request.RequestType == "POST");
-            bool haveLogoutRequest = !string.IsNullOrEmpty(request.Params["logoutRequest"]);
+#if NET45
+            bool haveLogoutRequest = !string.IsNullOrEmpty(request.Unvalidated.Form["logoutRequest"]);
+#else
+            bool haveLogoutRequest = !string.IsNullOrEmpty(GetLogoutRequestBody(request));
+#endif
+
 
             bool result =
             (
@@ -281,6 +289,33 @@ internal static bool GetRequestIsCasSingleSignOut()
 
             return result;
         }
+        /// <summary>
+        /// Read body from request input stream
+        /// Does not cause System.Web.HttpRequestValidationException 
+        /// </summary>
+        /// <returns></returns>
+        internal static string GetLogoutRequestBody(HttpRequest request)
+        {
+            StreamReader reader = new StreamReader(request.InputStream);
+            var body = reader.ReadToEnd();
+
+            //Seek it back to the beginning
+            request.InputStream.Seek(0, SeekOrigin.Begin);
+
+            if (!body.StartsWith(LOGOUT_REQUEST_KEY))
+            {
+                return null;
+            }
+
+            var logoutBody = body.Substring(LOGOUT_REQUEST_KEY.Length + 1);
+
+            if (string.IsNullOrEmpty(logoutBody))
+            {
+                return null;
+            }
+
+            return HttpUtility.UrlDecode(logoutBody);
+        }
 
         /// <summary>
         /// Determines whether the User associated with the request has been