OData and Authentication – Part 5 – Custom HttpModules

In the last post we saw how to add custom authentication inside your Data Service using the ProcessingRequest event.

Unfortunately that approach means authentication is not integrated or shared with the rest of your website.

Which means for all but the simplest scenarios a better approach is needed: HttpModules.

HttpModules can do all sort of things, including Authentication, and have the ability to intercept all requests to the website, essentially sitting under your Data Service.

This means you can remove all authentication logic from your Data Service. And create a HttpModule to protect everything on your website - including your Data Service.

Built-in Authentication Modules:

Thankfully IIS ships with a number of Authentication HttpModules:

  • Windows Authentication
  • Form Authentication
  • Basic Authentication

You just need to enable the correct one and IIS will do the rest.

So by the time your request hits your Data Service the user with be authenticated.

Creating a Custom Authentication Module:

If however you need another authentication scheme you need to create and register a custom HttpModule.

So lets take our – incredibly naive – authentication logic from Part 4 and turn it into a HttpModule.

First we need a class that implements IHttpModule, and hooks up to the AuthenticateRequest event something like this:

public class CustomAuthenticationModule: IHttpModule
    public void Init(HttpApplication context)
        context.AuthenticateRequest +=
           new EventHandler(context_AuthenticateRequest);
    void context_AuthenticateRequest(object sender, EventArgs e)
        HttpApplication app = (HttpApplication)sender;
        if (!CustomAuthenticationProvider.Authenticate(app.Context))
            app.Context.Response.Status = "401 Unauthorized";
            app.Context.Response.StatusCode = 401;
    public void Dispose() { }

We rely on the CustomAuthenticationProvider.Authenticate(..) method that we wrote in Part 4 to provide the actual authentication logic.

Finally we need to tell IIS to load our HttpModule, by adding this to our web.config:

    <add name="CustomAuthenticationModule"

Now when we try to access our Data Service - and the rest of the website – it should be protected by our HttpModule. 

NOTE: If it this doesn’t work, you might have IIS 6 or 7 running in classic mode which requires slightly different configuration.


In part 2 we looked about using Windows Authentication.
And in parts 3, 4 and 5 we covered all the hooks available to Authentication logic in Data Services, and discovered that pretty much everything you need to do is possible.


Next we’ll focus on real world scenarios like:

Alex James
Program Manager

Comments (4)

  1. Hi,

    Great to see that OAuth and OpenId are coming. Will those cover Facebook Connect? I'm very interested in authenticating against OData using that auth mechanism.



  2. Alex James says:


    Not sure about Facebook Connect yet. I (@adjames) will be talking to @LostInTangent to see what he thinks.


  3. TigerMunky says:

    I'm with Jamiet, woohoo, can't wait for the next one, keep up the good work Alex! 😀

  4. Abhay Saxena says:


    I am using Authentication HttpModule to check the authentication login for the WCF service. I have created one sample application on the defalut page I am creating httpCookies and adding the same with response object. In the authenticaion module I am checking that cookies is available or not before calling the WCF service but my cookies becomes null. Please help me for this. I tried all the solution for this.

    Thanks Abhay

Skip to main content