ASP.NET httpHandlers & handlers - asp.net

I am confused about httpHandlers in system.web and handlers in system.webServer. What is the difference between these two configuration? And how and when to use them?
Actually another question is for modules as well: httpModules in system.web and modules in system.webServer

The system.webServer section in the Web.config file specifies settings for IIS 7.0 that are applied to the Web application. The system.WebServer is a child of the configuration section. For more information, see IIS 7.0: system.webServer Section Group (IIS Settings Schema).
and <system.web> specifies the root element for the ASP.NET configuration section and contains configuration elements that configure ASP.NET Web applications and control how the applications behave. httpHandlers & handlers are same.
To register an HTTP handler for IIS 6.0 use should:
<configuration>
<system.web>
<httpHandlers>
<add verb="*" path="SampleHandler.new"
type="SampleHandler, SampleHandlerAssembly" />
</httpHandlers>
</system.web>
</configuration>
To register an HTTP handler for IIS 7.0 use should:
<configuration>
<system.web>
<httpHandlers>
<add verb="*" path="SampleHandler.new"
type="SampleHandler, SampleHandlerAssembly" />
</httpHandlers>
</system.web>
<system.webServer>
<add name=SampleHandler" verb="*" path="SampleHandler.new"
Modules="IsapiModule"
scriptProcessor="FrameworkPath\aspnet_isapi.dll"
resourceType="File" />
</system.webServer>
</configuration>
Read more Here

<system.web> is the configuration section for asp.net, traditionally this is where you would define your httpHandlers and httpModules.
With the introduction of IIS 7 (2007) the web server and asp.net got much more integrated and a completely new IIS configuration system was introduced.
As part of this the location for handler and module definitions was moved to <system.webServer>
If you are still using IIS6 (stop it) or use classic pipeline mode in IIS7+ you need to have your definitions under <system.web>, if you are using integrated pipeline mode in IIS7+ put them under <system.webServer>. You should not have them in both sections.

Related

serving clasic .asp pages works on IIS express but fails on production IIS

I'm making a web application with urlrewrites using global.asax, and in some point, i check if the page is a classic .asp page to serve special content or make redirections.
I have the application working on development under IIS Express, but when i move to production server, the application fails, giving me a "500 - interval server error".
I make the checks for the page in global.asax Application_BeginRequest event as normal in this cases, and i have the following in Web.config:
</system.web>
...
<compilation debug="true" strict="false" explicit="true" targetFramework="4.5" >
<buildProviders>
<add extension=".asp" type="System.Web.Compilation.PageBuildProvider"/>
</buildProviders>
</compilation>
...
</system.web>
...
<system.webServer>
<handlers>
<add name="popopopo" path="*.asp" verb="*" type="System.Web.UI.PageHandlerFactory" preCondition="" />
</handlers>
</system.webServer>
I repeat, this is working like a charm in IIS Express in development.
The production server is a shared hosting, so i haven't got access to the IIS itself. I make a test calling Page.Request.ServerVariables("SERVER_SOFTWARE") to see the server version, and both (local and production) returns "Microsoft-IIS/8.0".
I previously tried to use httphandlesrs inside system.web, but this other configuration is the only one worked for me on local IIS.
Any idea of what can be need to be configurated in addition to this for production server?

Set handler for PDF in IIS

I developed an HttpHandler in order to count number of downloads for PDF files.
Now the problem is: How can I make IIS use my handler for PDF files?
For IIS 7 it does depend on which mode you are running IIS in. Microsoft has a great tutorial on this How to: Register HTTP Handlers which goes over all the different configuration scenarios but assuming you are running IIS 7 in integrated mode and your handler is a compiled binary you would need a web.config entry similar to the following:
<configuration>
<system.webServer>
<handlers>
<add name="pdfCountHandler" verb="*"
path="*.pdf"
type="<your handler class name>, <your handler assembly name>"
resourceType="Unspecified" />
</handlers>
</system.webServer>
</configuration>

FormsAuthenticationModule Authenticate event not firing when using ASP.NET MVC

We are using the HttpModule to hook in to the FormsAuthenticationModule and subscribe to the Authenticate event. When we use web forms this event fires in the module. When we are using MVC this event is not firing.
I have tried using the [Authorize] attribute on the Controllers and location in web.config (even though this isn't best practice) to try and get this event to fire but it still does not.
The event does fire when using the Cassini webserver but does not fire on IIS 7.5 or IIS Express. We are running ASP.NET MVC 2 using .NET 3.5
EDIT
The Authentication event fires when we request a .aspx or .ashx file. If we request an extensionless file or a .css or .js it does not fire either.
An new ASP.NET MVC application will fire this event for every file requested.
Any suggestions?
Our web.config was missing the runAllManagedModulesForAllRequests="true" from the modules element in system.webServer. Once this was added all web requests receive the Authorisation event from FormsAuthenticationModule.
<system.webServer>
....
<modules runAllManagedModulesForAllRequests="true">
....
</system.webServer>
Navigating to an aspx page does not test if forms authentication is working in MVC, you have to navigate to a route. I saw your answer and that's what I had in mind. Instead of the inefficient runAllManagedModulesForAllRequests="true" I suggest removing the managedHandler precondition:
<remove name="FormsAuthentication"/>
<add name="FormsAuthentication" preCondition="" type="System.Web.Security.FormsAuthenticationModule"/>
<remove name="DefaultAuthentication"/>
<add name="DefaultAuthentication" preCondition="" type="System.Web.Security.DefaultAuthenticationModule"/>
<remove name="RoleManager"/>
<add name="RoleManager" preCondition="" type="System.Web.Security.RoleManagerModule"/>
<remove name="UrlAuthorization"/>
<add name="UrlAuthorization" preCondition="" type="System.Web.Security.UrlAuthorizationModule"/>
<remove name="UrlRoutingModule-4.0"/>
<add name="UrlRoutingModule-4.0" preCondition="runtimeVersionv4.0" type="System.Web.Routing.UrlRoutingModule"/>
I don't think it's the best way to solve it, but I'm also using a combination of MVC and formpages and set all the authorisation in the web.config
<location path="[path]">
<system.web>
<authorization>
<allow users="[username]" roles="[role]"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Deploying Castle Monorail on Windows Server 2003

I'm deploying a castle monorail web application to Windows Server 2003.
I've already set the httphandler mapping in web.config as follows :
<httpHandlers>
<add verb="*" path="*.castle" type="Castle.MonoRail.Framework.MonoRailHttpHandlerFactory, Castle.MonoRail.Framework" />
</httpHandlers>
<system.webServer>
<handlers>
<add name="castle page" path="*.castle" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv2.0,bitness32" />
</handlers>
</system.webServer>
But whenever I tried to access http://localhost/app/Home/Index.castle the web server always returns HTTP 404 Not Found. It looks like the mapping is not handled by ASP.NET engine, like I've been missing a step or two in the configuration. Any solution?
Because you are using IIS 6.0 the <system.webServer> section is ignored and you need to associate the .castle extension with the ASP.NET ISAPI filter in the IIS control panel.
Phil Haack blogged about how to achieve this with ASP.NET MVC and the .mvc extension. For you this would be the .castle extension:

How to do Forms Authentication on purely HTML pages using ASP.NET?

I am using forms authentication in IIS7 to password-protect a dev site, but the authentication seems to get by-passed when the site contains only static HTML files + login.aspx + web.config.
When I renamed the files to .aspx, I am prompted with the login form
I am not doing anything fancy. I have a very simple login script and it should just redirect to index.html afterward.
Any suggestions? To summarize, the entire site is using HTML (for now) and needs to be password protected.
<authentication mode="Forms">
<forms name="appNameAuth" path="/" loginUrl="~/login.aspx" defaultUrl="index.html" protection="All" timeout="525600">
<credentials passwordFormat="Clear">
<user name="[user]" password="[password]" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
In IIS7 if you want to protect *.html or *.htm files (or other non .net extensions) under forms authentication then add the following lines to your web.config:
<compilation>
<buildProviders>
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
<add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
AND
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
<add name="HTM" path="*.htm" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
</handlers>
</system.webServer>
To make the HTML files locked down by your forms authetication, you need have them served by ASP.NET. You can do this in IIS by associating the extension(s) you need (eg. .html, .htm, etc) with the aspnet_isapi.dll.
Onces ASP.NET is servicing those files you can specify the permissions for them just like any aspx page.
For more information refer to MSDN:
By default, IIS processes static
content itself - like HTML pages and
CSS and image files - and only hands
off requests to the ASP.NET runtime
when a page with an extension of
.aspx, .asmx, or .ashx is requested.
IIS 7, however, allows for integrated
IIS and ASP.NET pipelines. With a few
configuration settings you can setup
IIS 7 to invoke the
FormsAuthenticationModule for all
requests. Furthermore, with IIS 7 you
can define URL authorization rules for
files of any type. For more
information, see Changes Between IIS6
and IIS7 Security, Your Web Platform
Security, and Understanding IIS7 URL
Authorization.
Long story short, in versions prior to
IIS 7, you can only use forms
authentication to protect resources
handled by the ASP.NET runtime.
Likewise, URL authorization rules are
only applied to resources handled by
the ASP.NET runtime. But with IIS 7 it
is possible to integrate the
FormsAuthenticationModule and
UrlAuthorizationModule into IIS's HTTP
pipeline, thereby extending this
functionality to all requests.
Although this is an old question, I find the link in pomarc's answer really useful. Below is the summary which is suit for IIS7.
In your web.config, add or modify <handlers> under <system.webServer>:
<handlers>
<add name="HTML" path="*.html" verb="GET,HEAD,POST,DEBUG" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" />
</handlers>
Replace verb value with your required one; scriptProcessor value with correct path of your environment.
Then, add or modify <compilation> and <httpHandlers> under <system.web>:
<compilation debug="false" strict="false" explicit="true">
<buildProviders>
<!--Add below so .html file will be handled by ASP.NET (for use of Forms Authentication)-->
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
<httpHandlers>
<!--Add below so .html file will be handled by ASP.NET (for use of Forms Authentication)-->
<add verb="GET, HEAD, POST, DEBUG" path="*.html" type="System.Web.UI.PageHandlerFactory" />
</httpHandlers>
Replace verb value with your required one.
You may also include more extension separated by comma ','
I've solved the same problem a few days ago, by following the post by fr33m3 # 11-21-2007, 3:19 PM on this thread:
http://forums.asp.net/t/1184547.aspx
follow all the steps from 2. to 5. and you're done!
hope this can help you like it helped me.

Resources