Asp. NET underlying package HttpModule instance---Analysis of formsauthentication class

HttpModule is used to register the HttpApplication event, and the managed code module that implements the IHttpModule interface can access all the events of the request pipeline. So how is the underlying package handled for our most commonly used ASP. NET Forms Authentication module?

Today, over the ASP. NET life cycle, before the time like to do a variety of applications, small programs, and gradually feel really boring, because as long as you understand the basic grammar, will use the relevant library or frame on the line, if the error is a little detail error, strictly speaking this does not exercise people, it is a bit like boiling water frog, of course, it can be To help us master the use of the framework, to increase the proficiency and related to the basis of the application, but in terms of personal old feel the shortcomings of what ... Later, I want to do is to let others use the framework I developed, library, I would like to study the framework of the underlying architecture rather than the framework. So over the life cycle, in the IIS processing request part really do not understand, to the ASP. NET processing request is more skilled, for do not know I will not deliberately forced to understand, after all, the depth of their technology, the breadth placed in that, in the future will naturally understand. IIS7 has expanded an integrated mode compared to the previous version. is 7 the integrated pipeline is a unified request processing pipeline that supports both native code and managed code modules. The managed code module that implements the IHttpModule interface can access all events in the request pipeline. For example, managed code modules can be used for ASP. NET Forms authentication for ASP. aspx files and HTML pages (. htm or. html files). This is true even if IIS and ASP. HTML pages are considered static resources.

Functionally speaking, HttpModule is like an ISAPI filter for IIS. Before IIS distributes the received requests to the appropriate ISAPI extension, the registered ISAPI filter intercepts the request first. The ISAPI filter can obtain and even modify the requested content to complete some additional functionality. Similarly, when a request is transferred to an ASP. NET pipeline, the final responsibility for processing the request is the HttpHandler object that matches the requested resource type, but before handler is formally working, ASP will load and initialize all configured HttpModule objects first. HttpModule in the process of initialization, some functions are registered to HttpApplication corresponding events, then the corresponding events will be triggered at some stage of HttpApplication the entire request processing life cycle. Event handlers that are registered through HttpModule are also executed.

All HttpModule implements the IHttpModule interface, and the following is the definition of IHttpModule. Where the Init method is used to implement the initialization of HttpModule itself, the method accepts a HttpApplication object, and with this object, event registration is easy.

Asp. NET provides many of the basic component (Infrastructure) functionality is implemented through the corresponding HttpModule, the following class lists some typical HttpModule:

OutputCacheModule: The function of output cache is realized, which is Caching.
SessionStateModule: A session-based state is implemented on a stateless HTTP protocol;
WindowsAuthenticationModule + FormsAuthenticationModule + passportauthentication-module: 3 Typical authentication methods are implemented: Windows authentication, Forms certification and Passport certification;
UrlAuthorizationModule + FileAuthorizationModule: Implements authorization based on URI and file ACL (Access Control List).

With a fastidious learning attitude, I studied the source of forms authentication (in fact, it is not the source code, using reflector to find out)

Look at the source code of FormsAuthenticationModule:

Take a look at our most familiar init methods:

As you can see, here we have registered two HttpApplication pipeline events, and we look at the explanation given to us by the AuthenticateRequest event:

Then we look at OnEnter this method:

And then we'll go in and see OnAuthenticate method:

  Private voidonauthenticate (Formsauthenticationeventargs e) {HttpCookie cookie=NULL; if( This. _eventhandler! =NULL)    {         This. _eventhandler ( This, E); }    if(E.context.user = =NULL)    {        if(E.user! =NULL) {E.context.setprincipalnodemand (e.user); }        Else        {            BOOLCookielessticket =false; FormsAuthenticationTicket told= Extractticketfromcookie (E.context, Formsauthentication.formscookiename, outcookielessticket); if((told! =NULL) &&!told.expired) {FormsAuthenticationTicket ticket=told; if(formsauthentication.slidingexpiration) {ticket=Formsauthentication.renewticketifold (told); } E.context.setprincipalnodemand (NewGenericPrincipal (NewFormsIdentity (Ticket),New string[0])); if(!cookielessticket &&!ticket. Cookiepath.equals ("/") ) {Cookie=E.context.request.cookies[formsauthentication.formscookiename]; if(Cookie! =NULL) {cookie. Path=ticket.                    Cookiepath; }                }                if(Ticket! =told) {                    if(Cookielessticket && (ticket. Cookiepath! ="/")) && (ticket. Cookiepath.length >1) ) {ticket= FORMSAUTHENTICATIONTICKET.FROMUTC (ticket. Version, ticket. Name, ticket. ISSUEDATEUTC, ticket. EXPIRATIONUTC, ticket. Ispersistent, ticket. UserData,"/"); }                    stringCookievalue = Formsauthentication.encrypt (ticket,!)cookielessticket); if(cookielessticket) {E.context.cookielesshelper.setcookievalue ('F', Cookievalue);                    E.context.response.redirect (E.context.request.rawurl); }                    Else                    {                        if(Cookie! =NULL) {Cookie=E.context.request.cookies[formsauthentication.formscookiename]; }                        if(Cookie = =NULL) {Cookie=NewHttpCookie (Formsauthentication.formscookiename, cookievalue) {Path=ticket.                        Cookiepath}; }                        if(ticket. ispersistent) {cookie. Expires=ticket.                        expiration; } cookie. Value=Cookievalue; Cookies. Secure=Formsauthentication.requiressl; Cookies. HttpOnly=true; if(Formsauthentication.cookiedomain! =NULL) {cookie. Domain=Formsauthentication.cookiedomain; } e.context.response.cookies.remove (Cookie.                        Name);                    E.context.response.cookies.add (cookie); }                }            }        }    }}

If you are careful, you can see that in this method all classes related to Forms form authentication are involved. So for the processing module of Forms Forms authentication, the most important thing is this formsauthenticationmodule class, in this case, will be used to understand the decoupling operation created by the class. Have to say, I can not write, understand the actual application of the HttpModule pipeline is still possible, the module design has a general understanding. Here, this class does not know will not remind you of the ASP. NET MVC Framework authentication filter, the implementation of the filter is actually the use of attribute this feature to achieve AOP aspect injection, therefore, In fact, this should also be able to add attribute to achieve AOP. , of course, this is my guess ha, but should be feasible.

Asp. NET underlying package HttpModule instance---Analysis of formsauthentication class