Reputation: 27585
HttpModule vs DelegatingHandler - advantages/disadvantages?
I'm trying to log entire incoming requests and outgoing responses in an ASP.NET WebAPI project. While I'm agreed with DelegatingHandler, my employer insists on using HttpModule. How would you explain to her, why we should use DelegatingHandler and not HttpModule? Or am I wrong?
Upvotes: 3
Views: 1705
Answers (1)
Reputation: 5312
I would use the DelegatingHandler. The DelegatingHandler is part of the Web API pipeline and can run under any host. HttpModule is not part of Web Api and requires IIS.
Though not directly related to your question, I'm going to quote from the following MSDN article that highlights the two including differences:
HTTP Module This is an option for Web APIs running on IIS. HTTP modules allow security code to execute early as part of the IIS pipeline. The principal established from an HTTP module is available to all components, including the IIS components running later in the pipeline. For example, when the principal is established by an HTTP module in response to the AuthenticateRequest event, the username of the principal gets logged correctly in the cs-username field in IIS logs. The biggest drawback with HTTP modules is the lack of granularity. HTTP modules run for all requests coming into the application. For a Web application with different capabilities such as HTML markup generation, Web APIs and so on, having an HTTP module enforcing authentication in one way is generally not a flexible-enough approach. Another disadvantage with using an HTTP module is the dependency on the host—IIS, in this case.
Message Handler An extensibility option provided by ASP.NET Web API, the greatest benefit in using a message handler for security is it’s a concept of the ASP.NET Web API framework and, hence, doesn’t depend on the underlying host or server. Also, a message handler runs only for Web API requests. The downside of using a message handler is the lack of finer control. A message handler can be configured to run as a global handler for all requests or for a specific route. For a given route, you can have multiple controllers. All these controllers and the action methods they contain must share the same authentication enforced by the message handler configured for that route. In other words, the lowest granularity for authentication implemented by a message handler is at the route level.
Upvotes: 8
Related Questions
- HTTP handler vs HTTP module
- Dependency injection in ASP.NET WebAPI: IHttpControllerActivator vs. IDependencyResolver
- HttpMessageHandler vs DelegatingHandler
- IHttpHandler vs IHttpModule
- When to use HttpHandlers and HttpModules?
- ASP.NET HttpHandler vs IIS handler
- Httphandler and Httpmodule in asp.net
- Which one to use Http Handler or Http Module
- HTTPHandler vs .aspx
- httpmodules httphandlers, whats the ideal use of them? when to use and when not to use?