81

如何对基于 ASP.NET MVC 的站点中的某些页面使用 HTTPS?

史蒂夫·桑德森(Steve Sanderson)有一个很好的教程,关于如何在 Preview 4 上以 DRY 的方式做到这一点:

http://blog.codeville.net/2008/08/05/adding-httpsssl-support-to-aspnet-mvc-routing/

Preview 5 有没有更好/更新的方法?

4

12 回答 12

92

如果您使用的是ASP.NET MVC 2 Preview 2 或更高版本,您现在可以简单地使用:

[RequireHttps]
public ActionResult Login()
{
   return View();
}

不过, order 参数值得注意,如此处所述

于 2010-03-01T21:03:31.480 回答
17

MVCFutures有一个“RequireSSL”属性。

(感谢亚当在您更新的博文中指出这一点)

只需将其应用于您的操作方法,如果您希望 http:// 请求自动变为 https:// ,请使用“Redirect=true”:

    [RequireSsl(Redirect = true)]

另请参阅:ASP.NET MVC RequireHttps 仅用于生产

于 2009-07-12T20:01:03.657 回答
9

正如Amadiere 所写,[RequireHttps] 在 MVC 2 中非常适合用于输入HTTPS。但是,如果您只想对某些页面使用 HTTPS,如您所说,MVC 2 不会给您任何帮助 - 一旦将用户切换到 HTTPS,他们就会卡在那里,直到您手动重定向它们。

我使用的方法是使用另一个自定义属性 [ExitHttpsIfNotRequired]。当附加到控制器或操作时,如果出现以下情况,它将重定向到 HTTP:

  1. 请求是 HTTPS
  2. [RequireHttps] 属性未应用于操作(或控制器)
  3. 请求是 GET(重定向 POST 会导致各种麻烦)。

在这里发布有点太大了,但是您可以在此处查看代码以及一些其他详细信息。

于 2010-03-25T05:38:38.923 回答
8

这是 Dan Wahlin 最近发表的一篇文章:

http://weblogs.asp.net/dwahlin/archive/2009/08/25/requiring-ssl-for-asp-net-mvc-controllers.aspx

他使用 ActionFilter 属性。

于 2009-08-25T20:20:32.993 回答
3

一些 ActionLink 扩展:http ://www.squaredroot.com/post/2008/06/11/MVC-and-SSL.aspx 或重定向到 https:// http ://forums.asp.net 的控制器操作属性/p/1260198/2358380.aspx#2358380

于 2008-10-01T10:10:14.510 回答
3

对于那些不喜欢面向属性的开发方法的人,这里有一段代码可能会有所帮助:

public static readonly string[] SecurePages = new[] { "login", "join" };
protected void Application_AuthorizeRequest(object sender, EventArgs e)
{
    var pageName = RequestHelper.GetPageNameOrDefault();
    if (!HttpContext.Current.Request.IsSecureConnection
        && (HttpContext.Current.Request.IsAuthenticated || SecurePages.Contains(pageName)))
    {
        Response.Redirect("https://" + Request.ServerVariables["HTTP_HOST"] + HttpContext.Current.Request.RawUrl);
    }
    if (HttpContext.Current.Request.IsSecureConnection
        && !HttpContext.Current.Request.IsAuthenticated
        && !SecurePages.Contains(pageName))
    {
        Response.Redirect("http://" + Request.ServerVariables["HTTP_HOST"] + HttpContext.Current.Request.RawUrl);
    }
}

避免属性有几个原因,其中之一是如果您想查看所有安全页面的列表,您将不得不跳过解决方案中的所有控制器。

于 2012-07-19T23:24:30.893 回答
2

我遇到了这个问题,希望我的解决方案可以帮助某人。

我们遇到了一些问题: - 我们需要保护特定操作,例如“帐户”中的“登录”。我们可以使用 RequireHttps 属性中的构建,这很棒 - 但它会使用 https:// 将我们重定向回来。- 我们应该让我们的链接、表格和此类“SSL 感知”。

通常,我的解决方案除了能够指定协议外,还允许指定将使用绝对 url 的路由。您可以使用此方法来指定“https”协议。

所以,首先我创建了一个 ConnectionProtocol 枚举:

/// <summary>
/// Enum representing the available secure connection requirements
/// </summary>
public enum ConnectionProtocol
{
    /// <summary>
    /// No secure connection requirement
    /// </summary>
    Ignore,

    /// <summary>
    /// No secure connection should be used, use standard http request.
    /// </summary>
    Http,

    /// <summary>
    /// The connection should be secured using SSL (https protocol).
    /// </summary>
    Https
}

现在,我创建了 RequireSsl 的手卷版本。我修改了原始的 RequireSsl 源代码以允许重定向回 http:// url。此外,我还放置了一个字段,允许我们确定是否需要 SSL(我将它与 DEBUG 预处理器一起使用)。

/* Note:
 * This is hand-rolled version of the original System.Web.Mvc.RequireHttpsAttribute.
 * This version contains three improvements:
 * - Allows to redirect back into http:// addresses, based on the <see cref="SecureConnectionRequirement" /> Requirement property.
 * - Allows to turn the protocol scheme redirection off based on given condition.
 * - Using Request.IsCurrentConnectionSecured() extension method, which contains fix for load-balanced servers.
 */
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public sealed class RequireHttpsAttribute : FilterAttribute, IAuthorizationFilter
{
    public RequireHttpsAttribute()
    {
        Protocol = ConnectionProtocol.Ignore;
    }

    /// <summary>
    /// Gets or sets the secure connection required protocol scheme level
    /// </summary>
    public ConnectionProtocol Protocol { get; set; }

    /// <summary>
    /// Gets the value that indicates if secure connections are been allowed
    /// </summary>
    public bool SecureConnectionsAllowed
    {
        get
        {
#if DEBUG
            return false;
#else
            return true;
#endif
        }
    }

    public void OnAuthorization(System.Web.Mvc.AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }

        /* Are we allowed to use secure connections? */
        if (!SecureConnectionsAllowed)
            return;

        switch (Protocol)
        {
            case ConnectionProtocol.Https:
                if (!filterContext.HttpContext.Request.IsCurrentConnectionSecured())
                {
                    HandleNonHttpsRequest(filterContext);
                }
                break;
            case ConnectionProtocol.Http:
                if (filterContext.HttpContext.Request.IsCurrentConnectionSecured())
                {
                    HandleNonHttpRequest(filterContext);
                }
                break;
        }
    }


    private void HandleNonHttpsRequest(AuthorizationContext filterContext)
    {
        // only redirect for GET requests, otherwise the browser might not propagate the verb and request
        // body correctly.

        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("The requested resource can only be accessed via SSL.");
        }

        // redirect to HTTPS version of page
        string url = "https://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }

    private void HandleNonHttpRequest(AuthorizationContext filterContext)
    {
        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("The requested resource can only be accessed without SSL.");
        }

        // redirect to HTTP version of page
        string url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }
}

现在,这个 RequireSsl 将根据您的需求属性值执行以下操作: - 忽略:什么都不做。- Http:将强制重定向到 http 协议。- Https:将强制重定向到 https 协议。

您应该创建自己的基本控制器并将此属性设置为 Http。

[RequireSsl(Requirement = ConnectionProtocol.Http)]
public class MyController : Controller
{
    public MyController() { }
}

现在,在每个需要 SSL 的 cpntroller/action 中 - 只需使用 ConnectionProtocol.Https 设置此属性。

现在让我们转到 URL:我们在使用 url 路由引擎时遇到了一些问题。您可以在http://blog.stevensanderson.com/2008/08/05/adding-httpsssl-support-to-aspnet-mvc-routing/阅读有关它们的更多信息。这篇文章中建议的解决方案在理论上很好,但是很旧,我不喜欢这种方法。

我的解决方案如下:创建基本“Route”类的子类:

公共类AbsoluteUrlRoute:路线{#region ctor

    /// <summary>
    /// Initializes a new instance of the System.Web.Routing.Route class, by using
    ///     the specified URL pattern and handler class.
    /// </summary>
    /// <param name="url">The URL pattern for the route.</param>
    /// <param name="routeHandler">The object that processes requests for the route.</param>
    public AbsoluteUrlRoute(string url, IRouteHandler routeHandler)
        : base(url, routeHandler)
    {

    }

    /// <summary>
    /// Initializes a new instance of the System.Web.Routing.Route class, by using
    ///     the specified URL pattern and handler class.
    /// </summary>
    /// <param name="url">The URL pattern for the route.</param>
    /// <param name="defaults">The values to use for any parameters that are missing in the URL.</param>
    /// <param name="routeHandler">The object that processes requests for the route.</param>
    public AbsoluteUrlRoute(string url, RouteValueDictionary defaults, IRouteHandler routeHandler)
        : base(url, defaults, routeHandler)
    {

    }

    /// <summary>
    /// Initializes a new instance of the System.Web.Routing.Route class, by using
    ///     the specified URL pattern and handler class.
    /// </summary>
    /// <param name="url">The URL pattern for the route.</param>
    /// <param name="defaults">The values to use for any parameters that are missing in the URL.</param>
    /// <param name="constraints">A regular expression that specifies valid values for a URL parameter.</param>
    /// <param name="routeHandler">The object that processes requests for the route.</param>
    public AbsoluteUrlRoute(string url, RouteValueDictionary defaults, RouteValueDictionary constraints,
                            IRouteHandler routeHandler)
        : base(url, defaults, constraints, routeHandler)
    {

    }

    /// <summary>
    /// Initializes a new instance of the System.Web.Routing.Route class, by using
    ///     the specified URL pattern and handler class.
    /// </summary>
    /// <param name="url">The URL pattern for the route.</param>
    /// <param name="defaults">The values to use for any parameters that are missing in the URL.</param>
    /// <param name="constraints">A regular expression that specifies valid values for a URL parameter.</param>
    /// <param name="dataTokens">Custom values that are passed to the route handler, but which are not used
    ///     to determine whether the route matches a specific URL pattern. These values
    ///     are passed to the route handler, where they can be used for processing the
    ///     request.</param>
    /// <param name="routeHandler">The object that processes requests for the route.</param>
    public AbsoluteUrlRoute(string url, RouteValueDictionary defaults, RouteValueDictionary constraints,
                            RouteValueDictionary dataTokens, IRouteHandler routeHandler)
        : base(url, defaults, constraints, dataTokens, routeHandler)
    {

    }

    #endregion

    public override VirtualPathData GetVirtualPath(RequestContext requestContext, RouteValueDictionary values)
    {
        var virtualPath = base.GetVirtualPath(requestContext, values);
        if (virtualPath != null)
        {
            var scheme = "http";
            if (this.DataTokens != null && (string)this.DataTokens["scheme"] != string.Empty)
            {
                scheme = (string) this.DataTokens["scheme"];
            }

            virtualPath.VirtualPath = MakeAbsoluteUrl(requestContext, virtualPath.VirtualPath, scheme);
            return virtualPath;
        }

        return null;
    }

    #region Helpers

    /// <summary>
    /// Creates an absolute url
    /// </summary>
    /// <param name="requestContext">The request context</param>
    /// <param name="virtualPath">The initial virtual relative path</param>
    /// <param name="scheme">The protocol scheme</param>
    /// <returns>The absolute URL</returns>
    private string MakeAbsoluteUrl(RequestContext requestContext, string virtualPath, string scheme)
    {
        return string.Format("{0}://{1}{2}{3}{4}",
                             scheme,
                             requestContext.HttpContext.Request.Url.Host,
                             requestContext.HttpContext.Request.ApplicationPath,
                             requestContext.HttpContext.Request.ApplicationPath.EndsWith("/") ? "" : "/",
                             virtualPath);
    }

    #endregion
}

此版本的“Route”类将创建绝对 url。这里的技巧,以及博客文章作者的建议,是使用 DataToken 来指定方案(最后的例子:))。

现在,如果我们要生成一个 url,例如对于路由“Account/LogOn”,我们将得到“ /http://example.com/Account/LogOn”——这是因为 UrlRoutingModule 将所有 url 视为相对的。我们可以使用自定义 HttpModule 来解决这个问题:

public class AbsoluteUrlRoutingModule : UrlRoutingModule
{
    protected override void Init(System.Web.HttpApplication application)
    {
        application.PostMapRequestHandler += application_PostMapRequestHandler;
        base.Init(application);
    }

    protected void application_PostMapRequestHandler(object sender, EventArgs e)
    {
        var wrapper = new AbsoluteUrlAwareHttpContextWrapper(((HttpApplication)sender).Context);
    }

    public override void PostResolveRequestCache(HttpContextBase context)
    {
        base.PostResolveRequestCache(new AbsoluteUrlAwareHttpContextWrapper(HttpContext.Current));
    }

    private class AbsoluteUrlAwareHttpContextWrapper : HttpContextWrapper
    {
        private readonly HttpContext _context;
        private HttpResponseBase _response = null;

        public AbsoluteUrlAwareHttpContextWrapper(HttpContext context)
            : base(context)
        {
            this._context = context;
        }

        public override HttpResponseBase Response
        {
            get
            {
                return _response ??
                       (_response =
                        new AbsoluteUrlAwareHttpResponseWrapper(_context.Response));
            }
        }


        private class AbsoluteUrlAwareHttpResponseWrapper : HttpResponseWrapper
        {
            public AbsoluteUrlAwareHttpResponseWrapper(HttpResponse response)
                : base(response)
            {

            }

            public override string ApplyAppPathModifier(string virtualPath)
            {
                int length = virtualPath.Length;
                if (length > 7 && virtualPath.Substring(0, 7) == "/http:/")
                    return virtualPath.Substring(1);
                else if (length > 8 && virtualPath.Substring(0, 8) == "/https:/")
                    return virtualPath.Substring(1);

                return base.ApplyAppPathModifier(virtualPath);
            }
        }
    }
}

由于这个模块覆盖了 UrlRoutingModule 的基本实现,我们应该删除基本的 httpModule 并在 web.config 中注册我们的。因此,在“system.web”设置下:

<httpModules>
  <!-- Removing the default UrlRoutingModule and inserting our own absolute url routing module -->
  <remove name="UrlRoutingModule-4.0" />
  <add name="UrlRoutingModule-4.0" type="MyApp.Web.Mvc.Routing.AbsoluteUrlRoutingModule" />
</httpModules>

就是这样 :)。

为了注册一个绝对/协议遵循的路线,你应该这样做:

        routes.Add(new AbsoluteUrlRoute("Account/LogOn", new MvcRouteHandler())
            {
                Defaults = new RouteValueDictionary(new {controller = "Account", action = "LogOn", area = ""}),
                DataTokens = new RouteValueDictionary(new {scheme = "https"})
            });

很想听听您的反馈+改进。希望它可以帮助!:)

编辑:我忘记包含 IsCurrentConnectionSecured() 扩展方法(片段太多:P)。这是一种扩展方法,一般使用 Request.IsSecuredConnection。但是,在使用负载平衡时,此方法将不起作用-因此此方法可以绕过此方法(取自 nopCommerce)。

    /// <summary>
    /// Gets a value indicating whether current connection is secured
    /// </summary>
    /// <param name="request">The base request context</param>
    /// <returns>true - secured, false - not secured</returns>
    /// <remarks><![CDATA[ This method checks whether or not the connection is secured.
    /// There's a standard Request.IsSecureConnection attribute, but it won't be loaded correctly in case of load-balancer.
    /// See: <a href="http://nopcommerce.codeplex.com/SourceControl/changeset/view/16de4a113aa9#src/Libraries/Nop.Core/WebHelper.cs">nopCommerce WebHelper IsCurrentConnectionSecured()</a>]]></remarks>
    public static bool IsCurrentConnectionSecured(this HttpRequestBase request)
    {
        return request != null && request.IsSecureConnection;

        //  when your hosting uses a load balancer on their server then the Request.IsSecureConnection is never got set to true, use the statement below
        //  just uncomment it
        //return request != null && request.ServerVariables["HTTP_CLUSTER_HTTPS"] == "on";
    }
于 2013-04-25T22:10:00.797 回答
1

这是Pablo M. Cibrano于 2009 年 1 月发表的一篇博文,其中收集了一些技术,包括 HttpModule 和扩展方法。

于 2009-04-21T07:52:36.687 回答
1

这是Adam Salvo 的一篇博客文章,它使用了 ActionFilter。

于 2009-04-21T07:58:56.640 回答
1

这不一定是 MVC 特定的,但此解决方案确实适用于 ASP.NET WebForms 和 MVC:

http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx

我已经使用了几年,并且喜欢通过 web.config 文件分离关注点和管理。

于 2010-06-08T13:41:10.253 回答
0

MVC 6 (ASP.NET Core 1.0) 与 Startup.cs 的工作方式略有不同。

要在所有页面上使用 RequireHttpsAttribute (如 Amadiere 的回答中所述),您可以在 Startup.cs 中添加它,而不是在每个控制器上使用属性样式(或者而不是为所有控制器创建一个 BaseController 来继承)。

Startup.cs - 注册过滤器:

public void ConfigureServices(IServiceCollection services)
{
    // TODO: Register other services

    services.AddMvc(options =>
    {
        options.Filters.Add(typeof(RequireHttpsAttribute));
    });
}

有关上述方法的设计决策的更多信息,请参阅我对有关如何排除 localhost 请求不被 RequireHttpsAttribute 处理的类似问题的回答。

于 2016-07-07T12:44:18.840 回答
0

或者将过滤器添加到Global.asax.cs

GlobalFilters.Filters.Add(new RequireHttpsAttribute());

RequireHttpsAttribute 类

using System.Web.Mvc;
using System.Web.Optimization;
using System.Web.Routing;

namespace xxxxxxxx
{
    public class MvcApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            AreaRegistration.RegisterAllAreas();
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            GlobalFilters.Filters.Add(new RequireHttpsAttribute());
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);
        }
    }
}
于 2020-03-02T18:26:55.097 回答