0

I've a huge classic ASP application where in thousands of users manage their company/business data. Currently this is not multi-user so that application users can create users and authorize them to access certain areas in the system.

I'm thinking of writing a handler which will act as middle man between client and server and go through every request and find out who the user is and whether he is authorized to access the data he is trying to.

For the moment ignore about the part how I'm going to check the authorization and all that stuff. Just want to know whether I can implement a ASP.net handler and use it as middle man for the requests coming for a asp website? I just want to read the url and see what is the page user is trying to access and what are the parameters he is passing in the url the posted data. Is this possible? I read that Asp.net handler cannot be used with asp website and I need to use isapi filter or extensions for that and that can be developed only c/c++.

Can anybody through some light on this and guide me whether I'm in the right direction or not?

Note: To be specific, I cannot modify anything in the existing application because there are hundreds of pages (each page again has couple of different actions, such as posted to the same page again) are there in the system and it is really big mess and we are coming up with a different solution to clear that mess but that takes couple of years to complete, meanwhile to provide the multi-user functionality to the users we are trying to do this. This layer acts like layer where we authorize the user to do certain operation or access a page, nothing more than this.

JPReddy
  • 63,233
  • 16
  • 64
  • 93
  • I don't get it, is the new layer really necessary? If you have the current id as a session variable, you can allow/deny access from the classic asp app itself. – bfavaretto Jun 24 '12 at 22:39
  • @bfavaretto Thanks to you for asking this question. I've updated my question. – JPReddy Jun 24 '12 at 22:44
  • So I think what you've been reading is correct, you'd have to use some extension on the IIS level. An asp.net handler wouldn't be able to intercept requests as you seem to need. – bfavaretto Jun 24 '12 at 22:50
  • Yes, you can do this. Check out IHttpModule. You didn't say which version of IIS you were using, but even in IIS 6, you can map .asp requests to the asp.net handler (IIRC), and you'll be able to do it this way. If it's IIS 7 or later, you'd be creating a 'managed module' which works well in the integrated pipeline mode. If worse comes to worse, you can create a native module (ISAPI filter in IIS 6) in C++ to handle this. – Tom Jun 25 '12 at 01:46

1 Answers1

0

I've worked with an ASP classic website that runs Javascript on the server side. In IIS we selected JScript as the server-side scripting language and access the session variables and the database simultaneously to check user's access rights when they try to check out various parts of the site. What you're describing is completely do-able. Each page needs to have Javascript in <% %> tags and that identifies the content as server-side code. Be careful with security though!

As for the ASP.NET handler, I also developed an ASP.NET application that I added imported to our site (had to use a .NET thread pool) which could handle Ajax requests. IIS has this option to import ASP.NET applications to your site.

You've got options.

mj_
  • 6,297
  • 7
  • 40
  • 80