[翻译]http modules在.net安全认证中的作用

介绍一下如何在asp.net中使用http moudle创建自定义的安全认证

首先了解asp.net对web request的处理过程

tmfc [翻译]《了解ASP.NET底层架构》系列文章 有详细介绍

http modules是一个实现了IHTTPModule接口基础类. 用来处理Web Request.

asp.net内置的Modules有

Output Cache Module

Windows Authentication Module

Forms Authentication Module

Passport Authentication Module

URL Authorization Module

File Authorization Module

我们可以修改这些现有的modules来增加新的功能,也可以新增modules来自定义功能.比如,我们可以自定义安全模块利用活动目录.

modules在http application event触发时被执行

IHTTP Module有以下两个方法

Init( HttpApplication objApplication)

为HttpApplication Events注册event handler.

Dispose()

Release the resources.

实现自定义custom http module的步骤

1.创建一个实现了IHTTPModule接口的类

using System;

using System.Web;

namespace CustomModule

{

public class CustomAuthnModule : IHttpModule

{

public CustomAuthnModule()

{

}

public void Init(HttpApplication objHttpApp)

{

}

public void Dispose()

{

}

}

}

2.在Init方法中注册Events

public void Init(HttpApplication objHttpApp)

{

objHttpApp.AuthenticateRequest+=new EventHanlder(this.CustomAuthentication);

}

3.编写注册event的处理函数

private void CustomAuthentication (object sender,EventArgs evtArgs)

{

HttpApplication objHttpApp=(HttpApplication) sender;

objHttpApp.Context.Response.Write("Custom Authentication Module is Invoked");

}

4.在GAC中加入DLL

1)创建一个强名称文件

sn –k key.snk

2)将key文件加入到AssemblyInfo.cs的属性AssemblyKeyFile中

3)gacutil /i CustomModule.dll

5.在web.config注册HttpModule

<httpmodules /><httpModules>

<add name ="ModuleName" type="Namespace.ClassName","AssemlbyName">

</add >

</httpModules> </httpModules>

实例：一个基于数据库身份认证的自定义Module

using System;

using System.Web;

using System.Data;

using System.Data.SqlClient;

namespace CustomAuthorizationModule

{

public class CustomAuthorizationModule : IHttpModule

{

public CustomAuthorizationModule()

{

}

public void Init(HttpApplication objApp)

{

objApp.AuthorizeRequest += new

EventHandler(this.CustomDBAuthorization);

}

public void Dispose()

{

}

private void CustomDBAuthorization(object sender,EventArgs

evtArgs)

{

HttpApplication objApplication =(HttpApplication)sender;

string sAppPath,sUsrName;

bool bAuthorized = false;

sAppPath=objApplication.Request.FilePath.ToString();

sUsrName=objApplication.Request.Params[0].ToString();

bAuthorized = DBAuthorize(sUsrName,sAppPath);

if(bAuthorized)

{

objApplication.Context.Response.Write("Authorized User");

}

else

{

objApplication.Context.Response.Write("UnAuthorized User");

objApplication.Response.End();

}

}

private string DBAuthorize(string sUsrName,string sAppPath)

{

SqlConnection sqlConn=new SqlConnection()

sqlConn.ConnectionString="user id=sa;Pwd=password;Data Source=localhost;Initial

Catalog=Northwind");

SqlCommand sqlCmd=new SqlCommand();

SqlParameter sqlParam=new SqlParameter();

sqlCmd.Connection=sqlConn;

sqlConn.Open();

sqlCmd.CommandType=CommandType.StoredProcedure;

sqlCmd.CommandText="sAuthorizeURL";

sqlParam = sqlCmd.Parameters.Add ("@UserName",SqlDbType.VarChar,30);

sqlParam = sqlCmd.Parameters.Add("@URLPath",SqlDbType.VarChar,40);

sqlCmd.Parameters["@UserName"].Value=sUsrName;

sqlCmd.Parameters["@URLPath"].Value=sAppPath;

string res=sqlCmd.ExecuteScalar().ToString();

if(res == "Authorized")

{

return true;

}

else

{

return false;

}

}

}

}