Adam Salvo (z)
newtelligence poweredRSS 2.0
# Saturday, March 14, 2009
Partial SSL and Authorization with Asp.Net MVC

UPDATED: 4/25/2008 – See my new post of Partial SSL in Asp.Net MVC using the RequireSSL attribute from the MVC Futures Project

Tonight I was working on a small Asp.Net MVC project and was trying to add authorization and “require ssl” to specific pages using IIS. Of course you don’t have pages like you used to in Web Forms, so setting security and SSL on a per directory and per file basis doesn’t work like I’m used to.

The authorization requirement is actually pretty easy to handle once I approached the problem from a strictly MVC point of view. Using the Authorize attribute, which is included with Asp.Net MVC, I was able to pick and choose which controller actions I wanted to secure. In the code sample below I’m requiring the requestor to belong to the Users role.

[AcceptVerbs(HttpVerbs.Get), RequireSslFilter(Order=1), Authorize(Roles="Users",Order=2)]
public ActionResult ToServer()
{
   return View("ToServer");
}

When you need a little more control, you can implement a class that inherits from AuthorizeAttribute. Examples of when you might want to do this, would be if you wanted to change the authorized role at runtime, or not require any role (perhaps in your dev environment), or when you want to require SSL. In the above example you can see the RequiresSslFilter, which is a custom filter implemented as shown below which requires the use of SSL.

public class RequireSslFilter:AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
   if (httpContext.Request.IsLocal == false && httpContext.Request.IsSecureConnection == false)
   httpContext.Response.Redirect(httpContext.Request.Url.ToString().ToLower().Replace("http", "https"));

   return base.AuthorizeCore(httpContext);
}

}

In the code, I’m checking for if the request is local and secure, and redirecting to a secure version of the request. The check for IsLocal is useful for development scenarios. I added the Order parameter to the use of the RequiresSslFilter attribute to ensure that I check for the use of SSL before the check for the role. This helps ensure that credentials are only sent over SSL.

Saturday, March 14, 2009 3:44:29 AM (GMT Standard Time, UTC+00:00)  #    Comments [0] -
Programming
Navigation
Home
About
Twitter Feed
dasBlog
Categories
 
 
Archive
<March 2009>
SunMonTueWedThuFriSat
22232425262728
1234567
891011121314
15161718192021
22232425262728
2930311234
Blogroll
[Feed] Ayende Rahien
[Feed] Christopher Bennage
[Feed] Coding Horror
[Feed] Damon Payne
[Feed] Dan Vanderboom
[Feed] Dave Bost
[Feed] Derik Whittaker
[Feed] I Started Something
[Feed] Jeffrey Palermo
[Feed] Larry Clarkin
[Feed] Rocky Lhotka
[Feed] Scott Hanselman
[Feed] ScottGu
[Feed] The Use Case Blog
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

Copyright 2010
Adam Salvo
Sign In
Statistics
Total Posts: 234
This Year: 13
This Month: 1
This Week: 1
Comments: 34
Themes
Pick a theme:
All Content 2010, Adam Salvo
DasBlog theme 'Business' created by Christoph De Baene (delarou)