Thursday, June 23, 2011

HttpModules and HttpHandlers

When a user or client request for an ASPX page say http://localhost/WebApp/Default.aspx. The request is first received by the IIS i.e., inetinfo.exe. IIS can

resolve the page if it is a static file like HTML, since it is ASPX page it forwards the request to ISAPI filters which is aspnet_isapi.dll. It is the isapi filter that is used in handling ASP.Net

Request. The isapi filter forwards the request to the worker process which is aspnet_wp.exe. The worker process is the one who execute the request and give back the HTML output back to the

client.

HttpModules and HttpHandlers

The HttpModules and HttpHandler are the

components in worker process that helps in completing the request. There is a mechanism called Http Pipeline inside the worker process to complete the request. Http pipeline is nothing but it is a

mechanism that receives the request with relevant information’s (via HttpContext object) and passes the request to series of object. During this stage the involvement of HttpModules comes into the

picture for servicing the request. There are a number of system-level(asp.net) HTTP modules, providing services ranging from authentication to state management to output caching. We can always write our

own httpmodules and configure it for our web application in web.config. System-level HttpModules configuration resides in machine.config file. Open the Machine.config file from

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG and you can see the configuration of httpmodules that is involved by default in an asp.net request processing. I have installed framework in C:\ so

look into the drive where you installed the framework for machine.config file.



<httpmodules><add name="OutputCache" type="System.Web.Caching.OutputCacheModule"> <add name="Session" type="System.Web.SessionState.SessionStateModule"> <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule">
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule">
<add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule">
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule">
<add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule">
<add name="ErrorHandlerModule" type="System.Web.Mobile.ErrorHandlerModule, System.Web.Mobile, Version=1.0.5000.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"> </httpmodules>

There may be more than one httpmodules involved in a request processing like authentication, caching, etc. After the request is

processed by httpmodules it is given to the HttpHandler for further completion. Like HttpModules there cannot be more than one HttpHandler that is involved in a request processing. To add more value to

the above point, in our example user requests an ASPX page so the HttpHandler which receives the request will be HttpPageHandlerFactory, it’s an factory implementation. Like HttpModules we can also

write a custom HttpHanlder and configure it Web.Config of our application to use it during request processing. As HttpModules the default HttpHandler used for ASP.Net request processing is configured in

Machine.Config file. Below you can find the information’s about HttpHandler in machine.config,



<httphandlers>
<add verb="*" path="*.vjsproj" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.java" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.jsl" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="trace.axd" type="System.Web.Handlers.TraceHandler">
<add verb="*" path="*.aspx" type="System.Web.UI.PageHandlerFactory">
<add verb="*" path="*.ashx" type="System.Web.UI.SimpleHandlerFactory">
<add verb="*" path="*.asmx" type="System.Web.Services.Protocols.WebServiceHandlerFactory, System.Web.Services, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" validate="false">
<add verb="*" path="*.rem" type="System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false">
<add verb="*" path="*.soap" type="System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false">
<add verb="*" path="*.asax" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.ascx" type="System.Web.HttpForbiddenHandler">
<add verb="GET,HEAD" path="*.dll.config" type="System.Web.StaticFileHandler">
<add verb="GET,HEAD" path="*.exe.config" type="System.Web.StaticFileHandler">
<add verb="*" path="*.config" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.cs" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.csproj" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.vb" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.vbproj" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.webinfo" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.asp" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.licx" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.resx" type="System.Web.HttpForbiddenHandler">
<add verb="*" path="*.resources" type="System.Web.HttpForbiddenHandler">
<add verb="GET,HEAD" path="*" type="System.Web.StaticFileHandler">
<add verb="*" path="*" type="System.Web.HttpMethodNotAllowedHandler">
</httphandlers>


If you see above configuration settings you can understand why we can’t browse web.config, project file, .cs file as it is handled by System.Web.HttpForbiddenHandler handler which forbids the output from being viewed by the user
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)