OData and Authentication – Part 5 – Custom HttpModules

DB Blogs

In the last post we saw how to add custom authentication inside your Data Service using the ProcessingRequest event.

Unfortunately that approach means authentication is not integrated or shared with the rest of your website.

Which means for all but the simplest scenarios a better approach is needed: HttpModules.

HttpModules can do all sort of things, including Authentication, and have the ability to intercept all requests to the website, essentially sitting under your Data Service.

This means you can remove all authentication logic from your Data Service. And create a HttpModule to protect everything on your website – including your Data Service.

Built-in Authentication Modules:

Thankfully IIS ships with a number of Authentication HttpModules:

  • Windows Authentication
  • Form Authentication
  • Basic Authentication

You just need to enable the correct one and IIS will do the rest.

So by the time your request hits your Data Service the user with be authenticated.

Creating a Custom Authentication Module:

If however you need another authentication scheme you need to create and register a custom HttpModule.

So lets take our – incredibly naive – authentication logic from Part 4 and turn it into a HttpModule.

First we need a class that implements IHttpModule, and hooks up to the AuthenticateRequest event something like this:

public class CustomAuthenticationModule: IHttpModule
    public void Init(HttpApplication context)
        context.AuthenticateRequest +=
           new EventHandler(context_AuthenticateRequest);
    void context_AuthenticateRequest(object sender, EventArgs e)
        HttpApplication app = (HttpApplication)sender;
        if (!CustomAuthenticationProvider.Authenticate(app.Context))
            app.Context.Response.Status = “401 Unauthorized”;
            app.Context.Response.StatusCode = 401;
    public void Dispose() { }

We rely on the CustomAuthenticationProvider.Authenticate(..) method that we wrote in Part 4 to provide the actual authentication logic.

Finally we need to tell IIS to load our HttpModule, by adding this to our web.config:

    <add name=”CustomAuthenticationModule”

Now when we try to access our Data Service – and the rest of the website – it should be protected by our HttpModule. 

NOTE: If it this doesn’t work, you might have IIS 6 or 7 running in classic mode which requires slightly different configuration.


In part 2 we looked about using Windows Authentication.
And in parts 3, 4 and 5 we covered all the hooks available to Authentication logic in Data Services, and discovered that pretty much everything you need to do is possible.


Next we’ll focus on real world scenarios like:

Alex James
Program Manager


Comments are closed. Login to edit/delete your existing comments

Feedback usabilla icon