The ASP.NET Framework was designed to be modular. For example, if you don't like the way that Microsoft implemented Session state, caching or authentication, then you can simply replace any of Microsoft's modules with one of your own. This article discusses how you can build your own HTTP modules by walking you through the process of creating an XML authentication and authorization module.
Understanding HTTP Modules
An HTTP module is a class that contains code that executes whenever someone makes a request for a page in your ASP.NET application. Because a module executes each and every time someone makes a request for a page, modules are perfect for implementing functionality such as caching, authentication, and state management.
In the old, ugly, messy days before ASP.NET, the only way to implement the functionality of a module was to create something called an ISAPI filter. Creating an ISAPI filter required significant work. Fortunately, creating an HTTP module requires very little work because you can take advantage of the same programming skills used when building normal ASP.NET pages.
The ASP.NET Framework, by default, makes use of the following modules:
OutputCache moduleUsed for implementing page output caching
Session moduleUsed for implementing Session state
WindowsAuthentication moduleUsed for implementing Windows authentication
FormsAuthentication moduleUsed for implementing Forms authentication
PassportAuthentication moduleUsed for implementing Microsoft Passport authentication
The UrlAuthorization moduleUsed for implementing URL authorization
The FileAuthorization moduleUsed for implementing file authorization by using Windows file system ACLs
All of these modules are called whenever you make a request for a page in an ASP.NET application. For example, the Session module handles the details of storing and retrieving items from Session state between page requests.
These standard modules are listed in the Machine.Config file located in the following folder:
You can find the modules listed in the <httpModules> section of the Machine.Config file. For example, the Machine.Config section on my server looks like this:
<httpModules> <add name="OutputCache" type="System.Web.Caching.OutputCacheModule"/> <add name="Session" type="System.Web.SessionState.SessionStateModule"/> <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule"/> <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/> <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule"/> <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"/> <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule"/> </httpModules>
You'll notice that the name and the class responsible for implementing each module are listed. For example, the Session Module is implemented by the System.Web.SessionState.SessionStateModule class.
If you want to modify the way that Session state is implemented in the ASP.NET Framework, you can replace the Session module with your own custom Session module. Simply modify the listing in the <httpModules> section so that it points to your custom class.
Furthermore, if you want to add your own modules to the ASP.NET Framework, then you simply need to list a new module in the <httpModules> section. You can modify the Machine.Config file when you want to use the new module with all applications located on your Web server. Alternatively, if you want to use the new module with a particular application, you can add a Web.Config file to the root directory of that application.