Shulou(Shulou.com)06/02 Report--

This article is to share with you about the HTTP module of ASP.NET and the module implementation of the processor. The editor feels that it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Implement a HTTP module that provides security services

Now we implement a HTTP module that provides security services for our Web application. The HTTP module basically provides a customized identity authentication service. It will receive the identity credential in the HTTP request and determine whether the credential is valid. If so, what are the roles associated with the user? Through the User.Identity object, it associates these roles with the identity of the user who visits our Web application page.

Here is the code for the HTTP module:

The overall description of using System; using System.Web; using System.Security.Principal; namespace SecurityModules {/ Class1. Public class CustomAuthenticationModule: IHttpModule {public CustomAuthenticationModule () {} public void Init (HttpApplication r_objApplication) {/ / registers the event handler with the Application object. R_objApplication.AuthenticateRequest + = new EventHandler (this.AuthenticateRequest);} public void Dispose () {/ / is empty here because we don't need to do anything. } private void AuthenticateRequest (object ritual objSenderMagneEventArgs r_objEventArgs) {/ / authenticate the user's credentials and find out the user's role. 1. HttpApplication objApp = (HttpApplication) r_objSender; 2. HttpContext objContext = (HttpContext) objApp.Context; 3. If ((objApp.Request ["userid"] = = null) | | 4. (objApp.Request ["password"] = = null) 5. {6. ObjContext.Response.Write ("< H1 > Credentials not provided < / H1 >"); 7. ObjContext.Response.End (); 8.} 9. String userid = "" 10. Userid = objApp.Request ["userid"]. ToString (); 11. String password = ""; 12. Password = objApp.Request ["password"]. ToString (); 13. String [] strRoles; 14. StrRoles = AuthenticateAndGetRoles (userid, password) 15. If ((strRoles = = null) | | (strRoles.GetLength (0) = 0)) 16. {17. ObjContext.Response.Write ("< H1 > We are sorry but we could not find this userid and password in our database < / H1 >"); 18. ObjApp.CompleteRequest (); 19.} 20. GenericIdentity objIdentity = new GenericIdentity (userid, "CustomAuthentication"); 21. ObjContext.User = new GenericPrincipal (objIdentity, strRoles);} private string [] AuthenticateAndGetRoles (string ringing strUserID strRoles string r_strPassword) {string [] strRoles = null; if ((r_strUserID.Equals ("Steve")) & & (r_strPassword.Equals ("15seconds")) {strRoles = new String [1]; strRoles [0] = "Administrator" } else if ((r_strUserID.Equals ("Mansoor")) & & (r_strPassword.Equals ("mas")) {strRoles = new string [1]; strRoles [0] = "User";} return strRoles;}

Let's look at the code above.

We started with the Init function. This function inserts the handler's AuthenticateRequest event into the event handler list of the Application (application) object. This will cause Application to call this method when the AuthenticationRequest event is raised.

Once our HTTP module is initialized, we can call its AuthenticateRequest method to authenticate the client request. The AuthenticateRequest method is the core of the security / authentication mechanism. In this function:

Lines 1 and 2 extract the HttpApplication and HttpContext objects. Lines 3 to 7 check to see if we have not been given a user id or password. If it is not provided, an error message is displayed and the request processing is terminated.

Lines 9 through 12 extract the user id and password from the HttpRequest object.

Line 14 invokes a helper function called AuthenticateAndGetRoles. This function mainly performs authentication and determines the user role. The above code is hard-coded (hard-coded) and is only available to two users, but we can extend this method and add code to interact with the user database and retrieve the user's role.

Lines 16 to 19 detect whether a role is associated with the user. If not, it means that the credential passed to us has not been verified; therefore, the credential is invalid. Therefore, an error message is sent to the client, and the request ends.

Lines 20 and 21 are important because they actually tell the ASP.NET HTTP runtime the identity of the logged-in user. After these two lines are executed successfully, our aspx page can access this information using the User object.

Now let's take a look at how this authentication mechanism works. Currently, we only allow the following two users to log in to the system:

User id = Steve, Password = 15seconds, Role = Administrator

User id = Mansoor, Password = mas, Role = User

Note that the user id and password are case sensitive (case sensitive).

If you first try to log in to the system without providing credentials, enter http://localhost/webapp2/index.aspx in IE and you will see the following message:

Now try to log in to the system with the user id "Steve" and password "15seconds". Enter http://localhost/webapp2/index.aspx?userid=Steve&password=15seconds and you will see the following welcome message:

Now you are trying to log in to the system using the user id "Mansoor" and password "mas". Enter http://localhost/webapp2/index.aspx?userid=Mansoor&password=mas and you will see the following welcome message page:

Now you are trying to log in to the system with the wrong user id and password combination. Type http://localhost/webapp2/index.aspx?userid=Mansoor&password=xyz and you will see the following error message:

This shows that our security module is working. You can extend this security module by using database access code in the AuthenticateAndGetRoles method.

For all the parts to work, we have to make some changes to the web.config file. First of all, because we want to use our own authentication, we do not need other authentication mechanisms. To do this, change the < authentication > node in the web.config file of webapp2, as follows:

< authentication mode= "None" / >

Similarly, anonymous users are not allowed to visit our Web site. Add the following statement to the web.config file:

< authorization > < deny users= "?" / > < / authorization >

Used to provide at least anonymous access to files used to provide credentials. Use the following configuration setting information in the web.config file to treat index.aspx as a file that can be accessed anonymously:

< location path= "index.aspx" > < system.web > < authorization > < allow users= "*" / > < / authorization > < / system.web > < / location > the above is how ASP.NET 's HTTP module and processor module are implemented. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.