Custom Forms role-based security and HttpModules

From: Sangi (sangi@msn.com)
Date: 03/27/03 

From: "Sangi" <sangi@msn.com>
Date: Thu, 27 Mar 2003 00:24:23 GMT

Hi all,
I've seen quite a few examples that handle the Application's
AuthorizeRequest event in the global.asax file to implement a Forms
role-based security. While this surely works fine, I can't use this
approach, for two reasons:
1) I dont' want to implement this for all the site, but only for part of it,
and use another security mechanism for the rest of the site. Let's say that
I want to use my own custom Forms role-based security for a sub-directory,
and the standard Windows or Forms security for the rest.
2) The second reason is that I'm plugging my own sub-site into another
existent site, and I dont' have access to the site's global.asax/asax.vb
file, so I can't handle the AuthorizeRequest there.

So my question is: would it work if I handled the AuthorizeRequest from a
custom HttpModule? Could I install it only for a folder, by registering it
into that sub-folder's web.config, and continue to use the default security
in the rest of the site, where my module is not registered?

Also, say that the site already has a custom security implementation in its
Global.asax file, would my module override it for the folder where it has
been registered, or would the Global.asax implementation come last, and thus
override what I do in my module, and for the entire site? I'm not sure how
the ASP.NET pipeline works in detail. I've read all the articles on MSDN
Magazine and many others, but couldn't find answers for all these questions.
Can anyone give a hint? Thanks a lot!
 -- Sangi

Relevant Pages