Overview of the Custom XmlAuthentication Module
In this article, we'll build a simple HTTP module. Our module will implement a custom system of authenticating and authorizing users. It will use one XML file to associate users with roles and a second XML file to associate roles with pages. For example, you can use this module to prevent anyone but supervisors from viewing a page named BizPlan.aspx.
You can use any .NET-compatible language when building modules, including Visual Basic .NET, C#, or JScript .NET. For the sake of simplicity, we'll create our class using Visual Basic .NET.
You create a new HTTP module by creating a class that implements the IHttpModule interface. The IHttpModule interface contains two methods that you can implement:
Init() (application as HttpApplication)Used for initializing the module
Dispose()Used for disposing any resources used by the module
You must always implement both the Init() and Dispose() method. Within the Init() method, you can register one or more event handlers for HttpApplication events.
Code in a module executes when an HttpApplication event is raised. You can handle any of the following HttpApplication events:
For example, if you want to execute code in your module at the beginning of each page request, then you would handle the Application_BeginRequest event. If you want to implement your own caching mechanism, then you would handle the Application_ResolveRequestCache and Application_UpdateRequestCache events. If you want to perform some action whenever there is an error in your application, such as sending the error to an administrator in an email or writing the error to the event log, then you would handle the Application_Error event.
In order to implement our module, we'll need to handle the Application_AuthenticateRequest and Application_AuthorizeRequest events. We'll handle the Application_AuthenticateRequest event to identity a user and look up the user's roles. The list of user roles will be stored in an XML file named XmlRoles.xml.
We'll also need to handle the Application_AuthorizeRequest event to determine whether a user in a particular role is authorized to request a particular page. A second XML file, named XmlAuthRoles.xml, will be used to associate authorized roles with particular pages.
We specify the event handlers for the Application_AuthenticateRequest and Application_AuthorizeRequests events in the Int() method of our module. The code in Listing 1 demonstrates how we can write the necessary Init() method..
Listing 1Init() Method
Imports System Imports System.Web Public Class XmlAuthenticationModule Implements IHttpModule ' Register Event Handlers Public Sub Init( application As HttpApplication ) _ Implements IHttpModule.Init AddHandler Application.AuthenticateRequest, AddressOf XmlAuthenticate AddHandler Application.AuthorizeRequest, AddressOf XmlAuthorize End Sub End Class
The Init() method in Listing 1 associates a subroutine named XmlAuthenticate with the Application_AuthenticateRequest event, and a subroutine named XmlAuthorize with the Application_AuthorizeRequest event. We'll explore each of these subroutines in the following sections.