I have an application that is written in asp.net and I have some legacy classic asp pages integrated into the site. The site uses Windows authentication. Because I cannot manage .asp pages with roles, I've written a custom HttpModule to check if a user has permissions to view those pages, otherwise it redirects to an "access denied" page. The main issue is that the application needs to run in "classic mode" on IIS7. My module works in integrated mode, but not in classic mode. Is there any reason this code shouldn't work in classic mode as well? Thanks in advance.
Here is the code for the module, it's pretty simple:
public class MyModule: IHttpModule
{
public void Init(HttpApplication application)
{
application.PostAuthenticateRequest += new EventHandler(Application_PostAuthenticateRequest);
}
void Application_PostAuthenticateRequest(object source, EventArgs e)
{
HttpApplication app = (HttpApplication)source;
HttpContext context = ((HttpApplication)source).Context;
if (context.Request.RawUrl.Contains("/protected-subfolder/"))
{
// gets user from windows authentication
string currentUser = Convert.ToString(context.User.Identity.Name);
if (!isAdmin(currentUser))
{
//deny access
(context.Response).Redirect(VirtualPathUtility.ToAbsolute("~/AccessDenied.aspx"));
}
}
}
public void Dispose(){ }
Here is the setting in web.config for classic mode (not working):
<configuration>
<system.web>
<httpModules>
<add name="MyModule" type="MyModule" />
</httpModules>
</system.web>
</configuration>
And the setting for integrated mode (working):
<configuration>
<system.webServer>
<modules>
<add name="MyModule" type="MyModule"/>
</modules>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
</configuration>
In integrated mode, IIS App pools allow Any request URL to come in to the ASP.NET ISAPI, however, in classic mode, you would need a third-party ISAPI or the request will be sent directly to the page.
In integrated, the module gets checked FIRST before the actual request content.
SO:
Integrated Mode: http://www.yoursite.com/myfile.html first goes through your http modules and routes configured in http modules and global.asax (your Request.Url should have the URL above)
Classic Mode: http://www.yoursite.com/myfile.html checks to see if there is actually a file called myfile.html, and if not, then it goes to a 404 page. UNLESS, again, you have a custom URLRewrite module.
Hope this helps ya.