Disable SSL client certificates on *some* WebAPI controllers?
Edit for future readers : Unfortunately, the bounty awarded answer doesn't work;there's nothing I can do about it right now. But please read my own answer below (by testing) - confirmed to work with minimal code changes
We have an Azure cloud service (WebRole) entirely in ASP.NET WebAPI 2.2 (no MVC, front end is Angular). Some of our controllers/REST endpoints communicate with 3rd party cloud services over SSL (client certificate authentication/mutual authentication), the rest of the controllers/endpoints also communicate over SSL with the HTML5/AngularJS frontend (but more traditional servers Authentication) SSL). We don't have any non-SSL endpoints. We have enabled client-side SSL via the following cloud service launch tasks:
IF NOT DEFINED APPCMD SET APPCMD=%SystemRoot%\system32\inetsrv\AppCmd.exe
%APPCMD% unlock config /section:system.webServer/security/access
Problem: The setting is site-wide, so even if the user hits the homepage (eg https://domain.com , which returns angularJS's index.html), their browser will ask them for a client-side SSL certificate. (The following figure)
if there is a way
- Restrict client-side SSL certificate requests to only WebAPI controllers that communicate with 3rd party cloud services?
or
- Skip client side SSL authentication for a frontend that supports webapi controllers?
Our server's web.config is complex, but the relevant snippet is as follows:
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert" />
</security>
</system.webServer>
Screenshot of the client side hitting the regular WebAPI endpoint but still trying to do client side SSL authentication (happening in any browser, Chrome, Firefox or IE)
Unfortunately, the answer of cleftheris, who was awarded the bounty, didn't work. It tries to work too late in the HTTP server pipeline/processing to get the client certificate, but this post gave me some ideas.
The solution is based on web.configthis requirement for special handling of "directories" (also for virtual folders or WebAPI routes).
Here is the required logic:
https://www.server.com/acmeapi/ ** => SSL with client certificate
https://www.server.com/ ** => SSL
This is the corresponding configuration
<configuration>
...
<system.webServer>
<!-- This is for the rest of the site -->
<security>
<access sslFlags="Ssl" />
</security>
</system.webServer>
<!--This is for the 3rd party API endpoint-->
<location path="acmeapi">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert"/>
</security>
</system.webServer>
</location>
...
</configuration>
bonus points
The above will set the SSL handshake accordingly. Now, you still need to check the client SSL certificate in your code (if it's what you expect). Do this as follows
Controller code:
[RoutePrefix("acmeapi")]
[SslClientCertActionFilter] // <== key part!
public class AcmeProviderController : ApiController
{
[HttpGet]
[Route("{userId}")]
public async Task<OutputDto> GetInfo(Guid userId)
{
// do work ...
}
}
Below are the actual properties that perform SSL client authentication. Can be used to decorate an entire controller or just a specific method.
public class SslClientCertActionFilterAttribute : ActionFilterAttribute
{
public List<string> AllowedThumbprints = new List<string>()
{
// Replace with the thumbprints the 3rd party
// server will be presenting. You can make checks
// more elaborate but always have thumbprint checking ...
"0011223344556677889900112233445566778899",
"1122334455667788990011223344556677889900"
};
public override void OnActionExecuting(HttpActionContext actionContext)
{
var request = actionContext.Request;
if (!AuthorizeRequest(request))
{
throw new HttpResponseException(HttpStatusCode.Forbidden);
}
}
private bool AuthorizeRequest(HttpRequestMessage request)
{
if (request==null)
throw new ArgumentNullException("request");
var clientCertificate = request.GetClientCertificate();
if (clientCertificate == null || AllowedThumbprints == null || AllowedThumbprints.Count < 1)
{
return false;
}
foreach (var thumbprint in AllowedThumbprints)
{
if (clientCertificate.Thumbprint != null && clientCertificate.Thumbprint.Equals(thumbprint, StringComparison.InvariantCultureIgnoreCase))
{
return true;
}
}
return false;
}
}