How would an HttpModule for Custom Authentication interact with Windows Authentication?

c# asp.net iis-7 windows-authentication httpmodule

13,400

You want the AuthenticateRequest event.

13,400

Author by

vwfreak

BY DAY: Developer at an Engineering firm that creates equipment for manufacturing distribution centers. FOR FUN: I run, read, watch hockey, and play dominoes with my daughter.

Updated on June 04, 2022

Comments

vwfreak almost 2 years
I am trying to create a custom HttpModule which controls which users can view a site.

I am trying to leverage Windows Authentication to do this.

On an individual page, I would probably do something like this:
```
if (HttpContext.Current.User.Identity.Name.Contains("jsmith"))
{
    Response.Write("You do not have the correct permissions to view this site.");
    Response.End();
}
```
But because I want to make this more configurable at the application level, I would like to use an HttpModule.

Here is the start that I have made on the code:
```
using System;
using System.Web;

public class CustomAuthHttpModule : IHttpModule
{
    public void Dispose() { }

    public void Init(HttpApplication context)
    {
        context.BeginRequest += new EventHandler(OnBeginRequest);
        context.EndRequest += new EventHandler(OnEndRequest);
    }

    void OnBeginRequest(object sender, EventArgs e) { }

    void OnEndRequest(object sender, EventArgs e)
    {
        HttpApplication appObject = (HttpApplication)sender;
        HttpContext contextObject = appObject.Context;

        if (contextObject.User.Identity.Name.Contains("jsmith"))
        {
            contextObject.Response.Clear();
            contextObject.Response.End();
        }
    }
}
```
I would be fine with using the code I have, if I could put it in the OnBeginRequest() function. But the User property is not created in the HttpContext object until OnEndRequest() runs.

Running the code earlier would prevent the application from doing the extra work of producing this output, since some users are just going to be blocked from access in the end.

Can someone suggest a solution to this - is this happening because my module is running before the Windows Auth module, or what?

... or, maybe there is an easier way to do what I am trying to do with IIS or file system permissions?
- CodingGorilla over 13 years
  
  Is there a reason you dont just let IIS do this for you? Or use the <authorization> features in your web.config?
- vwfreak over 13 years
  
  Can you explain what you mean? I'll look up the <authorization> features to see what you're talking about there. How would IIS "do this for me"?
- vwfreak over 13 years
  
  <authorization> ! Awesome. I'd mark this as the answer if it had been one and not a comment. Thanks!
vwfreak over 13 years

I want to use the user's Windows identity rather than having them login explicitly.
vwfreak over 13 years

I understand that you can use the global.asax file. Maybe that is a better solution, but I was trying to understand how HttpModules work. When would you use an HttpModule?
vwfreak over 13 years

I get what you're saying about username. That makes sense.
Christian over 13 years

Not for login, but maybe for accessrights. On this point I have understood you wrong. Or for logging. HttpModules are more like filters.