blackmetal
New Member
I am attempting to implement authentication for a REST service implemented in WCF and hosted on Azure. I am using HttpModule to handle the AuthenticationRequest, PostAuthenticationRequest and EndRequest events. If the Authorization header is missing or if the token contained therein is invalid, during EndRequest I am setting the StatusCode on the Response to 401. However, I have determined that EndRequest is called twice, and on the second call the response has already had headers set, causing the code which sets the StatusCode to throw an exception.I added locks to Init() to ensure that the handler wasn't being registered twice; still ran twice. Init() also ran twice, indicating that two instances of the HttpModule were being created. However, using Set Object ID in the VS debugger seems to indicate that the requests are actually different requests. I've verified in Fiddler that there is only one request being issued to my service from the browser.If I switch to using global.asax routing instead of depending on the WCF service host configuration, the handler is only called once and everything works fine.If I add configuration to the system.web configuration section as well as the system.webServer configuration section in Web.config, the handler is only called once and everything works fine.So I have mitigations, but I really dislike behavior I don't understand. Why does the handler get called twice?Here is a minimal repro of the problem:Web.config:\[code\] <system.web> <compilation debug="true" targetFramework="4.0" /> <!--<httpModules> <add name="AuthModule" type="TestWCFRole.AuthModule, TestWCFRole"/> </httpModules>--> </system.web> <system.serviceModel> <behaviors> <endpointBehaviors> <behavior name="WebBehavior"> <webHttp/> </behavior> </endpointBehaviors> <serviceBehaviors> <behavior> <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment --> <serviceMetadata httpGetEnabled="true" /> <!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information --> <serviceDebug includeExceptionDetailInFaults="true"/> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" /> <services> <service name="TestWCFRole.Service1"> <endpoint binding="webHttpBinding" name="RestEndpoint" contract="TestWCFRole.IService1" bindingConfiguration="HttpSecurityBinding" behaviorConfiguration="WebBehavior"/> <host> <baseAddresses> <add baseAddress="http://localhost/" /> </baseAddresses> </host> </service> </services> <standardEndpoints> <webHttpEndpoint> <standardEndpoint name="" helpEnabled="true" automaticFormatSelectionEnabled="true"/> </webHttpEndpoint> </standardEndpoints> <bindings> <webHttpBinding> <binding name="HttpSecurityBinding" > <security mode="None" /> </binding> </webHttpBinding> </bindings> </system.serviceModel> <system.webServer> <modules runAllManagedModulesForAllRequests="true"> <add name="AuthModule" type="TestWCFRole.AuthModule, TestWCFRole"/> </modules> <directoryBrowse enabled="true"/> </system.webServer>\[/code\]Http module:\[code\]using System;using System.Web;namespace TestWCFRole{ public class AuthModule : IHttpModule { /// <summary> /// You will need to configure this module in the web.config file of your /// web and register it with IIS before being able to use it. For more information /// see the following link: http://go.microsoft.com/?linkid=8101007 /// </summary> #region IHttpModule Members public void Dispose() { //clean-up code here. } public void Init(HttpApplication context) { // Below is an example of how you can handle LogRequest event and provide // custom logging implementation for it context.EndRequest += new EventHandler(OnEndRequest); } #endregion public void OnEndRequest(Object source, EventArgs e) { HttpContext.Current.Response.StatusCode = 401; } }}\[/code\]