I could not find any existing forums question on this topic with clear MVC based solution. So I wanted to make sure this common requirement is implemented in MVC2 standard/recommended way:
Scenario/Environment:
- I have a ASP.NET MVC2 website hosted on Windows Azure
- I installed SSL and website works with HTTPS
- Website also works with HTTP
- This because I currently have 2 end points: HTTP and HTTPS and both work
Problem:
- I don't want all my website (Controller/Actions) to be accessible through HTTP or HTTPS
- I would like to decide what Controller/Actions require HTTPS vs HTTP
- Ideally I am expecting soemthing like "[Authorize]" attribute on controller methods to take care of this.
I don't want to do custom coding, unless I am sure that there is no support around this already built into ASP.NET MVC2. I will be surprised if such common requirement is not already there in ASP.NET MVC2. But don't mind custom coding, if this support
is still not there?
So I am hoping that someone from ASP.NET MVC2 team can respond to this query.
The [RequireHttps] attribute can be used on a controller type or action method to say "this can be accessed only via SSL." Non-SSL requests to the controller or action will be redirected to the SSL version (if an HTTP GET) or rejected (if an HTTP POST).
You can override the RequireHttpsAttribute and change this behavior if you wish. There's no [RequireHttp] attribute built-in that does the opposite, but you could easily make your own if you desired.
There are also overloads of Html.ActionLink() which take a protocol parameter; you can explicitly specify "http" or "https" as the protocol. Here's
the MSDN documentation on one such overload. If you don't specify a protocol or if you call an overload which doesn't have a
protocol parameter, it's assumed you wanted the link to have the same protocol as the current request.
I just came across RequiredHttps right after posting my question.
Reading your response helped as you already answered my other question about, how am I going to seamlessly control this behavior instead of exception etc. :)
Html.BeginForm helper method does not take protocol parameter
This is fine. You should almost never post from an HTTP page (that is, the <form> is sent in response to an HTTP request) to an HTTPS page. Doing so defeats the purpose of using HTTPS in the first place.
jtbs
Is there a way to specify HTTPS but still use "~" based path
The same protocol as the original request will be used. So if your user visits https://example.com/authenticated-resource, the redirect to ~/login will also take place via the SSL-protected channel.
You could also put [RequireHttps] on your login action. This way, if the user hits ~/login via HTTP, he will be redirected to the HTTPS version of it.
JTBS
Member
30 Points
34 Posts
Switching between HTTP and HTTPS in ASP.NET MVC2
Apr 18, 2010 01:23 AM|LINK
I could not find any existing forums question on this topic with clear MVC based solution. So I wanted to make sure this common requirement is implemented in MVC2 standard/recommended way:
Scenario/Environment:
- I have a ASP.NET MVC2 website hosted on Windows Azure
- I installed SSL and website works with HTTPS
- Website also works with HTTP
- This because I currently have 2 end points: HTTP and HTTPS and both work
Problem:
- I don't want all my website (Controller/Actions) to be accessible through HTTP or HTTPS
- I would like to decide what Controller/Actions require HTTPS vs HTTP
- Ideally I am expecting soemthing like "[Authorize]" attribute on controller methods to take care of this.
I don't want to do custom coding, unless I am sure that there is no support around this already built into ASP.NET MVC2. I will be surprised if such common requirement is not already there in ASP.NET MVC2. But don't mind custom coding, if this support is still not there?
So I am hoping that someone from ASP.NET MVC2 team can respond to this query.
Thanks for your help
levib
Star
7636 Points
1092 Posts
AspNetTeam
Re: Switching between HTTP and HTTPS in ASP.NET MVC2
Apr 18, 2010 02:24 AM|LINK
The [RequireHttps] attribute can be used on a controller type or action method to say "this can be accessed only via SSL." Non-SSL requests to the controller or action will be redirected to the SSL version (if an HTTP GET) or rejected (if an HTTP POST). You can override the RequireHttpsAttribute and change this behavior if you wish. There's no [RequireHttp] attribute built-in that does the opposite, but you could easily make your own if you desired.
There are also overloads of Html.ActionLink() which take a protocol parameter; you can explicitly specify "http" or "https" as the protocol. Here's the MSDN documentation on one such overload. If you don't specify a protocol or if you call an overload which doesn't have a protocol parameter, it's assumed you wanted the link to have the same protocol as the current request.
JTBS
Member
30 Points
34 Posts
Re: Switching between HTTP and HTTPS in ASP.NET MVC2
Apr 18, 2010 01:08 PM|LINK
Thanks for propmt response.
I just came across RequiredHttps right after posting my question.
Reading your response helped as you already answered my other question about, how am I going to seamlessly control this behavior instead of exception etc. :)
JTBS
Member
30 Points
34 Posts
Re: Switching between HTTP and HTTPS in ASP.NET MVC2
Apr 27, 2010 11:21 PM|LINK
Following are two scenarios I am not sure how to force using HTTPS:
1. Html.BeginForm helper method does not take protocol parameter
- I can write additional helper method OR use FORM directly
2. Web.config "Forms" authentication section, LoginURL
- Is there a way to specify HTTPS but still use "~" based path
Any pointers?
Thanks
levib
Star
7636 Points
1092 Posts
AspNetTeam
Re: Switching between HTTP and HTTPS in ASP.NET MVC2
Apr 27, 2010 11:51 PM|LINK
This is fine. You should almost never post from an HTTP page (that is, the <form> is sent in response to an HTTP request) to an HTTPS page. Doing so defeats the purpose of using HTTPS in the first place.
The same protocol as the original request will be used. So if your user visits https://example.com/authenticated-resource, the redirect to ~/login will also take place via the SSL-protected channel.
You could also put [RequireHttps] on your login action. This way, if the user hits ~/login via HTTP, he will be redirected to the HTTPS version of it.