Today, one of the important goals is to provide high security to distributed Web Applications. The security is designed throughout the .NET Framework like Code Access Security, ASP.NET Integrated Security and Cryptography, which can be optimally used to develop Secure Applications.
However, in scenarios where one has to perform Authentication or Authorization by the database and give appropriate privileges to the users (or) the permissions have to be provided at runtime for specific operations (or) in scenarios like where no Web browsers are used, it becomes crucial to develop Custom Security.
The ASP.NET Framework has defined a set of HTTP Modules which takes care of the basic Authentication and Authorization mechanisms. The Custom Security (Custom Authentication or Authorization) can be performed in Forms Authentication or Windows Authentication by coding in the Global.asax file, which is not a reliable (or) reusable solution. The .NET Framework gives the flexibility to develop custom HTTP Modules and plug them into the ASP.NET Application, hence enabling to develop highly scalable, reusable and reliable .NET Security Components.
This article explains in detail about the HTTP Modules and the steps to create a custom HTTP Module with an example. The article also gives a brief about how to create a custom HTTP Module in developing a custom database authorization module.
ASP.NET Pipeline Processing
When a Web request for a page is raised, it gets processed by ASP.NET Pipeline Objects. First the request is received by HTTP Runtime Object from the IIS and gets directed to the respective HTTP Application object. Further, the request gets filtered by various HTTP Module objects such as Windows Authentication Module, Session Module and finally gets processed by HTTP Handler object. The Current request information can be accessed anywhere in the pipeline through the HTTP Context Object.
An HTTP Module is basically a class which Implements
IHTTPModule Interface to pre/post process the Web requests.
The built-in modules in ASP.NET are:
- Output Cache Module
- Windows Authentication Module
- Forms Authentication Module
- Passport Authentication Module
- URL Authorization Module
- File Authorization Module
The implementation of these modules can be customized and new modules can also be added to enhance more security features by developing Custom HTTP Modules. As an example, we can develop a custom authentication module to authenticate users via Active Directory services.
The modules get executed when an HTTP Application Event is raised. The HTTP Application Events are listed as follows:
HTTP Application Events
Application_BeginRequest - Fired before request processing starts
Application_AuthenticateRequest - Authenticate the Caller
Application_AuthorizeRequest - Checks the privileges for the Caller
Application_ResolveRequestCache - To get a response from the cache
Application_AcquireRequestState - To Load Session State
Application_PreRequestHandlerExecute - Fired before the request is sent to the handler object
Application_PostRequestHandlerExecute - Fired after the request is sent to the handler object
Application_ReleaseRequestState - To release the Session State
Application_UpdateRequestCache - To update the Response Cache
Application_EndRequest - Fired after processing ends
Application_PreSenRequestHeaders - Fired before buffered response headers are sent
Application_PreSendRequestContent - Fired before buffered response body is sent
Application_Error - Fired when an error is raised
The IHTTP Module has the following two methods:
Init( HttpApplication objApplication)
- To register the Event Handlers for
Steps to Implement Custom HTTP Module
1. Create a Class Implementing IHTTPModule Interface
Init Method taking
HttpApplication Object as parameter and
Dispose methods are declared:
2. Register the Events in the Init Method of the Class
EventHandler for the Event that needs to be handled:
3. Write the Method Code to Handle the Registered Event
When the Authentication Request is raised, the
CustomAuthentication method gets executed. In this example, it gives response of message when the event is raised.
4. Install the Library File into GAC...
... (or) Place it in bin directory of the Web Application which makes use of the developed Custom Module.
Steps to Install the DLL in GAC:
- Create a Strong Name Key file
sn –k key.snk
- Map the Key file to the
AssemblyKeyFile attribute in the AssemblyInfo.cs
gacutil /i CustomModule.dll
5. Register the HTTPModule
The HTTP Modules have to be registered in the Web.config file of the Application which implements them. The Configuration details for the
httpModules is given below:
<add name ="ModuleName" type="Namespace.ClassName","AssemlbyName">
In this example, the Module Name is
CustomModule and the
CustomModule. Hence the configuration for the custom Module is as shown below:
<add name="CustomAuthnModule" type="CustomModule.CustomAuthnModule,CustomModule">
An Example - Custom DB Authorization Module
ABC Company has to develop an Internet application for the various business partners doing business with them.The information about the business partners and their respective privileges are stored in the SQL Server database. One of the requirements is to validate the users and populate the roles at the database level and to provide appropriate access to the application.The code given below helps to achieve the given requirement.
When the Web page ViewBusinessPartners.aspx is requested with the "request User Parameter", it validates the User privileges to access the requested site and gives appropriate access.
public class CustomAuthorizationModule : IHttpModule
public void Init(HttpApplication objApp)
objApp.AuthorizeRequest += new
public void Dispose()
private void CustomDBAuthorization(object sender,EventArgs
HttpApplication objApplication =(HttpApplication)sender;
bool bAuthorized = false;
bAuthorized = DBAuthorize(sUsrName,sAppPath);
private string DBAuthorize(string sUsrName,string sAppPath)
SqlConnection sqlConn=new SqlConnection()
sqlConn.ConnectionString="user id=sa;Pwd=password;Data Source=localhost;
SqlCommand sqlCmd=new SqlCommand();
SqlParameter sqlParam=new SqlParameter();
sqlParam = sqlCmd.Parameters.Add ("@UserName",SqlDbType.VarChar,30);
sqlParam = sqlCmd.Parameters.Add("@URLPath",SqlDbType.VarChar,40);
if(res == "Authorized")
The role of HTTP Modules in .NET Security is to filter and process the Web requests. It also helps to build high security in the Web Applications by developing custom modules. This article has explored only the Authorization module. There are several interesting Modules to be explored and can be customized to suit business needs like custom authentication, caching and state management.
- 22nd May, 2007: Initial post