Search code examples

HttpModule isn't processing request authentication

I have an HttpHandler that I'm trying to use to put a little security layer over a certain directory in my site, but it's behaving strangely.

I've got it registered like this in my Web.Config: no longer valid since I'm in IIS 7.5

  <add verb="*" path="/courses/*" type="CoursesAuthenticationHandler" />

I can't tell if it's actually being called or not, because regardless of the code, it always seems to do nothing. On the flip side, if there are any errors in the code, it does show me an error page until I've corrected the error.

Here's the handler itself:

using System;
using System.Web;

public class CoursesAuthenticationHandler : IHttpHandler
    public bool IsReusable
        get { return true; }

    public void ProcessRequest(HttpContext context)
        if (!context.Request.IsAuthenticated)

So... that's pretty much it. The handler is being registered and analyzed at compile time, but doesn't actually do what it's expected to.

Edit: I realized that I'm using IIS 7.5 and that does indeed have an impact on this implementation.

For IIS 7, here's the Web.Config registration I used:

<handlers accessPolicy="Read, Execute, Script"> 
  <add name="CoursesAuthenticationHandler" 
    resourceType="Unspecified" />

Edit 2: Progress! When not logged in, requests made to the /courses/ directory are redirected to the login page. However, authenticated requests to the /courses/ directory return empty pages...

Edit 3: Per @PatrickHofman's suggestion, I've switched to using an HttpModule.

The Web.Config registration:

    <add name="CourseAuthenticationModule" type="CourseAuthenticationModule" />

The code:

using System;
using System.Web;

public class CourseAuthenticationModule : IHttpModule
    public void Dispose() { }

    public void Init(HttpApplication context)
        context.BeginRequest += new EventHandler(BeginRequest);

    public void BeginRequest(Object source, EventArgs e)
        HttpApplication app = (HttpApplication)source;
        HttpContext context = app.Context;
        HttpRequest request = context.Request;
        HttpResponse response = context.Response;

        if (request.Path.ToLower().StartsWith("/courses/") && !request.IsAuthenticated)

Now the problem is that !request.IsAuthenticated is always false. If I'm logged in, and navigate to the /courses/ directory, I'm redirected to the homepage.

What's the deal?


  • I think the last problem lies in the fact that a HttpHander handles stuff. It is the end point of a request.

    Since you didn't add anything to the request, the response will end up empty.

    Are you looking for HttpModules? They can be stacked.

    As a possible solution when only files are necessary: read the files yourself in the request by either reading and writing to response or use TransmitFile. For ASP.NET pages you need modules.