Role of HTTP Modules in .NET Security

Tuesday, May 22, 2007

Today, one of the important goals is to provide high security to the distributed Web Applications. The security is designed throughout the .NET Framework like Code Access Security, ASP.NET Integrated Security and Cryptography, which can be optimally used to develop Secure Applications.

However, in scenarios where one has to perform Authentication or Authorization by the database and give appropriate privileges to the users (or) the permissions have to be provided at the runtime for specific operations (or) in scenarios like where no web browsers are used , it becomes crucial to develop Custom Security.
The ASP.NET Framework has defined set of Http Modules which takes care of the basic Authentication and Authorization mechanisms. The Custom Security (Custom Authentication or Authorization) can be performed in Forms Authentication or Windows Authentication by coding in the Global.asax file, which is not a reliable (or) reusable solution. The .NET Framework gives the flexibility to develop custom Http Modules and plug them into the ASP.NET Application,hence enabling to develop highly scalable, reusable and reliable .NET Security Components.

This article explains in detail about the HTTP Modules and the steps to create custom Http Module with an example. The article also gives a brief how to create a custom Http Module in developing a custom database authorization module.

If you have no experience writing web (or other) security code, this (like many CP articles) can be a dangerous oversimplification of "a" way to implement security. At best it is a mediocre article about the purpose and value of HttpModules.

For most cases, you can and should use the ASP.NET Membership Provider framework to build your custom security. In other rare cases, you might have to build your own security layer and may need an HttpModule, but to build any type of security that is truly secure is non-trivial.

CodeSniper - Thursday, May 24, 2007 3:39:09 AM

1 Comment