Is there any MVC specific way to require an SSL Client Certificate for a specific Action or Controller, i.e very much the way RequireHttps or Authorize works, but for ClientCerts?
I know about the trick where you create an empty folder in the site, a Controller with the same name as the folder and then set up a rule in web.config, but I don’t want to do it this way, I am looking for an MVC solution if there is one.
(Example of the web.config trick:)
<location path="/ClientCert">
<system.webServer>
<security>
<access sslFlags="Ssl,SslRequireCert" />
</security>
</system.webServer>
</location>
I’m curious if there is a solution that can be encapsulated in an ActionFilter and/or HttpModule?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
I don’t believe so. Client Certificates are handled and mapped in IIS or HTTP.sys during connection negotiation, which is way lower down than MVC. If that client certificate is being used for mutual authentication with SSL/TLS, then the client certificate is needed just to establish a HTTPS session and connection.
This all happens well before MVC, or any code for that matter, is given a chance to run. This happens down in the kernel in HTTP.sys.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0