The Integrated Pipeline in IIS7
Back in late 2005 I developed an HttpModule for ASP.NET that parsed the output of web pages and checked their validity as XHTML documents. The module appended a little report to each page with details of any validation errors. You can still
get the source from this blog post. Perhaps the biggest limitation of this tool was that it could only validate the output from pages processed by the ASP.NET pipeline, usually those ending in the .
aspx extension. There was no way of using the module to validate static pages or even pages generated by other server frameworks such as ASP or PHP... until now!
The new Integrated Pipeline is one of the most exciting features of Internet Information Services (IIS) version 7, which ships with Windows Server 2008. It allows your HttpModules to participate in all requests, including those for static content, PHP pages and even images. This enhancement is compatible with the existing ASP.NET HttpModule system. To my delight, this means that the XHTML Validator Module worked without any modifications and can now be applied against any type of page. Better still, you can use the HttpModules that ship as part of the ASP.NET framework in this way too.
Since ASP.NET version 2.0, its membership features have provided an easy way to build secure websites with roles-based access and a plethora of ways to manage user accounts. In fact, you can now do this with virtually no coding required by using the new login controls, SQL Membership Provider and
Web Site Administration Tool! But what if you wanted to secure access to resources that don't normally pass through the ASP.NET pipeline (such as an image or a ZIP file)?
With IIS7 using the existing Forms Authentication HttpModule – coupled with the membership features mentioned above – provides a consistent way to secure your web site’s assets. Whilst it was possible to achieve this for certain static types in previous versions of IIS, it was much trickier to deploy and didn’t work for most dynamic types. Now we have a hassle-free approach that works consistently across all file types.
It's easy to configure too, especially with the revamped IIS Manager that comes with version 7. First, your Application Pool must be setup to use the Integrated Pipeline: just set the Managed Pipeline dropdown to ‘Integrated’ in the Basic Settings dialog. Second, you need to modify the registration of the HttpModule itself by un-checking the "Invoke only for requests to ASP.NET applications or managed handlers" checkbox. You’ll find this by navigating to your web site and clicking the Modules icon in the IIS group. This last change actually modifies the appropriate web.config file by moving the module from the "system.web/modules" section to the new "system.webServer/modules" section.
Visit MSDN online for more on
creating and registering a custom HTTP module. For more on IIS7, please visit the
IIS homepage. As I always say, “easy peasy”.
Josh Twist
Application Development Consultant (ADC)Read Josh's Blog
