I am developing a site which will use JSON requests from the client for most of the transactions. Among other security considerations, it would be useful to have MVC accept an AntiForgeryToken as part of each transaction. For now, I have created a rather ugly hack to permit submission of JSON data along with an AntiForgeryToken. By adding a ValidateJsonAntiForgeryTokenAttribute class, and making a minor modification to the JsonValueProvider class, it would be possible to pass __RequestVerificationToken back with each JSON request, and have the appropriate validation executed. The only caveat would be that the __RequestVerificationToken could not be nested inside of any other element in the model, based on the implementation attached. This modification is much more easily accomplished within MVC than by my trying to write external classes. Thanks.
I realize (with a red face) that my code will not work, because I did not reset the position of controllerContext.HttpContext.Request.InputStream after the StreamReader is opened, since I am now consuming the stream twice. The following line of code:
controllerContext.HttpContext.Request.InputStream.Position = 0;
must be added after:
StreamReader reader = new StreamReader(controllerContext.HttpContext.Request.InputStream);