ASP.NET MVC 2,并要求客户证书(智能卡验证) [英] ASP.NET MVC 2 and request client certificate (Smart Card authentication)
问题描述
我需要从他们的卡捕获用户的X.509证书,并映射到用户表中的ASP.NET MVC窗体身份验证。我已经创建了一个MVC(第二版)在VS 2008中的项目,配置为在Vista上本地IIS使用默认模板中的默认网站的虚拟目录下运行,但添加RequireHttpsAttribute到Account / LogOn支持的ActionResult。没有其他变化。使用本地IIS管理器,我创建了一个自签名的证书和应用它,然后将账户/ Logon.aspx页面要求SSL,并要求客户端证书。
I need to capture user's X.509 certificates from their cards and map to a user table for forms authentication in ASP.NET MVC. I have created an MVC (ver 2) project in VS 2008, configured to run as a virtual directory under the Default Web Site in the local IIS on Vista using the default template but added RequireHttpsAttribute to the Account/LogOn ActionResult. No other changes. Using the local IIS Manager, I created a self-signed cert and applied it, then set the Account/Logon.aspx page to Require SSL and Require client certificates.
在运行调试,当我点击从欢迎页面(首页/索引视图)的登录链接,它正确路由使用https,但没有提示证书帐户/ Logon.aspx。使用的dynaTrace(真棒, http://ajax.dynatrace.com ),我可以看到,响应状态越来越设置为403但同样,没有证书的提示。
Running in debug, when I click the 'Log On' link from the Welcome page (Home/Index view), it correctly routes to Account/Logon.aspx using https but no prompt for certificate. Using Dynatrace (awesome, http://ajax.dynatrace.com), I can see that the response status is getting set to 403 but again, no cert prompt.
作为一个全面的检查,我设置了一个默认的asp.net web应用项目,在默认的Web站点(同上MVC项目)在Vista中的一个虚拟目录中运行,并配置了Default.aspx页面要求SSL和需要客户端证书,如MVC项目完成以上。然它,做工精细,我拿到证书提示,可以选择证书,并输入PIN码卡读取request.clientcertificate对象我X.509在code的后面。
As a sanity check, I set up a default asp.net web app project to run in a virtual directory in the default Web Site (same as MVC project above) in Vista and configured the default.aspx page to Require SSL and Require client certificates, as done in the MVC project above. Ran it, works fine, I get the certificate prompt and can choose cert and enter PIN for card and read my X.509 from request.clientcertificate object in the code behind.
这两个虚拟目录应用程序池在综合管道模式设置为经典的.NET程序池。
The application pool for both virtual directories is set to Classic .NET AppPool in integrated pipeline mode.
帮助?!
更新:
超级缺憾解决办法正在进行中。我添加了一个文件夹'验证'和'GetCert.aspx文件,它被标记SSL /要求客户端证书的MVC项目,然后补充说:routes.IgnoreRoute(认证/ {*} PATHINFO)向全球的.asax。该GetCert.aspx的codebehind response.writes我从X.509想要的数据。然后我说在一个LogOn.aspx电话jquery.get它调用GetCert.aspx并返回证书主题结果作为一个字符串在LogOn.aspx一个div。我现在拿到证书的提示,让我的MVC视图的结果,但是这不能做到这一点的方式!
Update: Super kludgy workaround in progress. I added a folder 'Auth' and an 'GetCert.aspx' file to it that is marked SSL/Require client certificates to the MVC project and then added "routes.IgnoreRoute("Auth/{*pathInfo}")" to the global.asax. The codebehind of the GetCert.aspx response.writes the data I want from the X.509. Then I added a jquery.get call in LogOn.aspx which calls GetCert.aspx and returns the cert Subject results as a string to a div in LogOn.aspx. I now get the cert prompt and get the results in my MVC view, but this can't be the way to do this!
推荐答案
我在使用窗体身份验证,并在我的基础类的授权属性,这样所有非认证的请求去帐户/登录时可行的解决方案。登录页面后按钮路线称为授权的行动与RequireHttps属性,该属性触发正确的客户端证书的提示这是装饰。一旦证书被选中的授权操作处理解析HttpClientCertificate的用户信息我想和我的用户表做一个匹配查找和写入验证cookie。然后,我有一个HttpModule读取cookie来创建在的AuthenticateRequest事件自定义主体。这一切的伟大工程。我打开另一个问题,下一期关于忽略客户证书这里IIS配置:的 IIS 6 + SSL客户端证书配置
I have a working solution using forms authentication and the authorize attribute on my base controller class so all non-authenticated requests go to Account/LogOn. The logOn page post button routes to an action called Authorize which is decorated with the RequireHttps attribute which correctly triggers the prompt for the client cert. Once the cert is selected the Authorize action handles parsing the HttpClientCertificate for the user info I want and doing a match lookup in my users table and writes an authentication cookie. I then have an HttpModule that reads the cookie to create a custom Principal in the AuthenticateRequest event. This all works great. I'm opening another question for the next issue regarding IIS configuration of 'ignore client certificates' here: IIS 6+ SSL Client Certificates Configuration
这篇关于ASP.NET MVC 2,并要求客户证书(智能卡验证)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
