Custom HttpModule working in IIS7 integrated, but not classic mode

6
votes

I have an application that is written in asp.net and I have some legacy classic asp pages integrated into the site. The site uses Windows authentication. Because I cannot manage .asp pages with roles, I've written a custom HttpModule to check if a user has permissions to view those pages, otherwise it redirects to an "access denied" page. The main issue is that the application needs to run in "classic mode" on IIS7. My module works in integrated mode, but not in classic mode. Is there any reason this code shouldn't work in classic mode as well? Thanks in advance.

Here is the code for the module, it's pretty simple: 

public class MyModule: IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.PostAuthenticateRequest += new EventHandler(Application_PostAuthenticateRequest);
    }
    void Application_PostAuthenticateRequest(object source, EventArgs e)
    {
        HttpApplication app = (HttpApplication)source;
        HttpContext context = ((HttpApplication)source).Context;

        if (context.Request.RawUrl.Contains("/protected-subfolder/"))
        {
            // gets user from windows authentication
            string currentUser = Convert.ToString(context.User.Identity.Name);

            if (!isAdmin(currentUser))
            {
                //deny access
                (context.Response).Redirect(VirtualPathUtility.ToAbsolute("~/AccessDenied.aspx"));
            }
        }
    }

public void Dispose(){ }

Here is the setting in web.config for classic mode (not working):

<configuration>
    <system.web>
        <httpModules>
            <add name="MyModule" type="MyModule" />
        </httpModules>
    </system.web>
</configuration>

And the setting for integrated mode (working):

<configuration>
    <system.webServer>
        <modules>
            <add name="MyModule" type="MyModule"/>
        </modules>
        <validation validateIntegratedModeConfiguration="false" />
    </system.webServer>
</configuration>
1
asp.net.netiis-7httpmodule
Enable Failed Request Tracing and you'll get a better view of what's happing. See iis.net/learn/troubleshoot/using-failed-request-tracing/…x0n
I actually have Failed Request Tracing enabled - the problem is that the request doesn't fail, but lets the user go straight to the page he/she shouldn't be able to access, which seems to imply the httpmodule isn't running at all.lem
When you add a httpModule like this, it is also the last module to be executed. This might be an issue. You can take a look at the inherited modules from the system wide web.config and then <clear /> in your config, ensuring yours is first in the list, then add back the ones gleaned from the system web.config.x0n
Also, look up the asp.net 2.0 breaking changes, particularly about <identity impersonate=true /> - your disabling configuration validation in integrated mode is sidestepping this. The user in your integrated pipeline might not be the user you think it is.x0n
The weird thing is that this is the only module in web.config - I can't find any others in the system wide web.config. When I remove <validation validateIntegratedModeConfiguration="false" /> I get the same behavior as before. I suspect my issue has something to do with this: markcz.wordpress.com/2011/12/31/…lem

1 Answers

2
votes

In integrated mode, IIS App pools allow Any request URL to come in to the ASP.NET ISAPI, however, in classic mode, you would need a third-party ISAPI or the request will be sent directly to the page.

In integrated, the module gets checked FIRST before the actual request content.

SO:

  1. Integrated Mode: http://www.yoursite.com/myfile.html first goes through your http modules and routes configured in http modules and global.asax (your Request.Url should have the URL above)

  2. Classic Mode: http://www.yoursite.com/myfile.html checks to see if there is actually a file called myfile.html, and if not, then it goes to a 404 page. UNLESS, again, you have a custom URLRewrite module.

Hope this helps ya.