ASP. net http module and processing program (6)

Implement an HTTP module that provides security services

Now we implement an HTTP module for our Web Applications Program Provides security services. The HTTP module provides a customized identity authentication service. It will receive the identity credential in the HTTP request and determine whether the credential is valid. If valid, what are the user-related roles? The user. Identity object is used to associate these roles with the user IDs that access our web application page.
The following is the HTTP module's Code :

Using system;
Using system. Web;
Using system. Security. Principal;

Namespace securitymodules
{
/// Overall description of class1.

Public class customauthenticationmodule: ihttpmodule
{
Public customauthenticationmodule ()
{
}
Public void Init (httpapplication r_objapplication)
{
// Register the event handler with the application object.
R_objapplication.authenticaterequest + =
New eventhandler (this. authenticaterequest );
}

Public void dispose ()
{
// This field is empty because we do not need to perform any operations.
}

Private void authenticaterequest (Object r_objsender, eventargs r_objeventargs)
{
// Identify the user's creden。 and find out the user role ..
1. httpapplication objapp = (httpapplication) r_objsender;
2. httpcontext objcontext = (httpcontext) objapp. context;
3. If (objapp. request ["userid"] = NULL) |
4. (objapp. request ["password"] = NULL ))
5 .{
6. objcontext. response. Write ("7. objcontext. response. End ();
8 .}

9. String userid = "";
10. userid = objapp. request ["userid"]. tostring ();
11. String Password = "";
12. Password = objapp. request ["password"]. tostring ();

13. String [] strroles;
14. strroles = authenticateandgetroles (userid, password );
15. If (strroles = NULL) | (strroles. getlength (0) = 0 ))
16 .{
17. objcontext. response. Write ("Find this user ID and password in our database 18. objapp. completerequest ();
19 .}

20. genericidentity objidentity = new genericidentity (userid,
"Customauthentication ");
21. objcontext. User = new genericprincipal (objidentity, strroles );
}

Private string [] authenticateandgetroles (string r_struserid, string r_strpassword)
{
String [] strroles = NULL;
If (r_struserid.equals ("Steve") & (r_strpassword.equals ("15 seconds ")))
{
Strroles = new string [1];
Strroles [0] = "Administrator ";
}
Else if (r_struserid.equals ("Mansoor") & (r_strpassword.equals ("Mas ")))
{
Strroles = new string [1];
Strroles [0] = "user ";
}
Return strroles;
}
}
}

Let's take a look at the above Code.

We started from the init function. This function inserts the authenticaterequest event of the processing program into the event handler list of the Application object. This will cause the application to call this method when the authenticationrequest event is triggered.

After the HTTP module is initialized, we can call its authenticaterequest Method to Identify client requests. The authenticaterequest method is the core of the security/identity authentication mechanism. In this function:

Extract httpapplication and httpcontext objects in rows 1 and 2. Lines 3 to 7 check whether the user ID or password is not provided to us. If not, an error message is displayed and the request processing process ends.

Lines 9 to 12 extract the user ID and password from the httprequest object.

Line 14 calls a helper function called authenticateandgetroles. This function mainly performs authentication and determines the user role. The above Code uses hard-coded and only allows two users to use it. However, we can extend this method and add code to interact with the user database and retrieve the user's role.

Lines 16 to 19 check whether a role is associated with the user. If not, it means that the credential passed to us has not passed verification; therefore, this credential is invalid. Therefore, an error message is sent to the client and the request is complete.

Lines 20 and 21 are very important, because these two lines Actually tell ASP. Net the identity of the logged-on user during HTTP runtime. After these two rows are successfully executed, our ASPX page will be able to access this information using the user object.

Now let's take a look at the status of this authentication mechanism. Currently, only the following two users are allowed to log on to the system:

· User id = Steve, password = 15 seconds, role = Administrator
· User id = Mansoor, password = mas, role = user

Note that the user ID and password are case sensitive (case sensitive ).

First, try to log on to the system without providing a credential. Enter http: // localhost/webapp2/index. aspx in IE to see the following message: