问题
Is there any MVC specific way to require an SSL Client Certificate for a specific Action or Controller, i.e very much the way RequireHttps or Authorize works, but for ClientCerts?
I know about the trick where you create an empty folder in the site, a Controller with the same name as the folder and then set up a rule in web.config, but I don't want to do it this way, I am looking for an MVC solution if there is one.
(Example of the web.config trick:)
<location path="/ClientCert">
<system.webServer>
<security>
<access sslFlags="Ssl,SslRequireCert" />
</security>
</system.webServer>
</location>
I'm curious if there is a solution that can be encapsulated in an ActionFilter and/or HttpModule?
回答1:
I don't believe so. Client Certificates are handled and mapped in IIS or HTTP.sys during connection negotiation, which is way lower down than MVC. If that client certificate is being used for mutual authentication with SSL/TLS, then the client certificate is needed just to establish a HTTPS session and connection.
This all happens well before MVC, or any code for that matter, is given a chance to run. This happens down in the kernel in HTTP.sys.
来源:https://stackoverflow.com/questions/27945921/enabling-ssl-client-certificate-required-for-specific-controller-or-action-in-as