Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Enabling SSL Client Certificate Required for specific Controller or Action in Asp.Net MVC

Is there any MVC specific way to require an SSL Client Certificate for a specific Action or Controller, i.e very much the way RequireHttps or Authorize works, but for ClientCerts?

I know about the trick where you create an empty folder in the site, a Controller with the same name as the folder and then set up a rule in web.config, but I don't want to do it this way, I am looking for an MVC solution if there is one.

(Example of the web.config trick:)

  <location path="/ClientCert">
    <system.webServer>
      <security>
        <access sslFlags="Ssl,SslRequireCert" />
      </security>
    </system.webServer>
  </location>

I'm curious if there is a solution that can be encapsulated in an ActionFilter and/or HttpModule?

like image 990
peter3 Avatar asked Jan 14 '15 15:01

peter3


1 Answers

I don't believe so. Client Certificates are handled and mapped in IIS or HTTP.sys during connection negotiation, which is way lower down than MVC. If that client certificate is being used for mutual authentication with SSL/TLS, then the client certificate is needed just to establish a HTTPS session and connection.

This all happens well before MVC, or any code for that matter, is given a chance to run. This happens down in the kernel in HTTP.sys.

like image 51
vcsjones Avatar answered Oct 12 '22 23:10

vcsjones