tags:

views:

1089

answers:

1
+2  Q: 

ASP.NET MVC Futures RequireSSL Attribute and Authorize Attribute Together

Is anyone successfully using both the Authorize and RequireSSL (from MVC futures) attributes together on a controller? I have created a controller for which I must enforce the rule that the user must be logged in and using a secure connection in order to execute. If the user is not on a secure connection, I want the app to redirect to https, thus I am using Redirect=true on the RequireSSL attribute. The code looks something like (CheckPasswordExpired is my homegrown attribute):

[Authorize]
[RequireSsl(Redirect = true)]
[CheckPasswordExpired(ActionName = "ChangePassword",
    ControllerName = "Account")]
[HandleError]
public class ActionsController : Controller
{
    ....
}

mysite.com/Actions/Index is the default route for the site and also the default page to redirect to for forms authentication.

When I browse to http://mysite.com, what I want to get is the user redirected to a secure connection, and because they are not authenticated yet, to the login page. What I get is an HTTP 400 error (Bad Request). If I navigate to http://mysite.com/Account/Login, the redirect works, but neither my Account controller nor Login action method have the [Authorize] attribute.

Anyone have any experience with using these two attributes together to achieve my objective?

Thanks!

+3  A: 

I'm using both of them with success. Do you have the attributes on your default action?

public class HomeController : BaseController
{
  [Authorize]
  [RequireSsl]
  public ActionResult Index ()
  {
  }
}

BTW I'm using a slightly modified version than the futures so that I can disable SSL globally:

[AttributeUsage (AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public sealed class RequireSslAttribute : FilterAttribute, IAuthorizationFilter
{
 public RequireSslAttribute ()
 {
  Redirect = true;
 }

 public bool Redirect { get; set; }

 public void OnAuthorization (AuthorizationContext filterContext)
 {
  Validate.IsNotNull (filterContext, "filterContext");

  if (!Enable)
  {
   return;
  }

  if (!filterContext.HttpContext.Request.IsSecureConnection)
  {
   // request is not SSL-protected, so throw or redirect
   if (Redirect)
   {
    // form new URL
    UriBuilder builder = new UriBuilder
    {
     Scheme = "https",
     Host = filterContext.HttpContext.Request.Url.Host,
     // use the RawUrl since it works with URL Rewriting
     Path = filterContext.HttpContext.Request.RawUrl
    };
    filterContext.Result = new RedirectResult (builder.ToString ());
   }
   else
   {
    throw new HttpException ((int)HttpStatusCode.Forbidden, "Access forbidden. The requested resource requires an SSL connection.");
   }
  }
 }

 public static bool Enable { get; set; }
}
Todd Smith  2009-07-15 18:37:32
Thanks for the reply. I have the attributes attached at the controller level, not at the action level. BTW, I like your Enable enhancement.
Rich  2009-07-16 17:00:55
How do you use Enable though? say in my dev environment I don't want it to be SSL?
Blankman  2010-03-10 17:33:25
What does Validate.IsNotNull(...) do? I pasted the code, but don't have Validate (I don't want to install futures hehe)
Blankman  2010-03-10 17:40:31
Validate is borrowed from https://kigg.svn.codeplex.com/svn/v2.x/Core/Helper/CheckArgument.cs
Todd Smith  2010-03-10 18:46:31
For Enable I set it to true/false based on the web.config during application startup.
Todd Smith  2010-03-10 18:49:28

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data