SMA290120: Remove HttpModules

There is no direct replacment for HttpModules in the App Model. Depending on the purpose of the HttpModules an alternative approach must be implemented.

CheckId	SMA290120
TypeName	HttpModuleRecommendations
Severity	Error
Type	Assembly

Resolution

Full Trust Approach	App Approach
HttpModule A HttpModule is a Full Trust interface which intercepts requests to the server and allows for processing before anything else. Typical usages are custom authentication, and redirects.	SharePoint Claims Authentication Claims Authentication, allows you to use a custom authentication provider in order to provide custom security. While HttpModules have been used for this in the past, only Claims Authentication should be used. Redirects, and other uses of HttpModules Some usages in the past of a HttpModule are no longer valid. However some usages like redirections, do have work arounds still available with the newer model, using client side scripting. With the usages too varied, each particular case needs to be identified and remapped into the newer Client Side Object Model.
Impact of Full Trust Approach	Benefit of App Approach
Not available going forwards HttpModules are not available except in Full Trust applications.	Case by Case There being so many usages of a HttpModule (the most common being authentication and redirects), we can provide better alternatives with other Out of the Box functionality. While Claims Authentication was not available early on, it is now fully integrated into SharePoint meaning the process of configuring it is straight forward. In these cases Client Side Scripting is a better option for handling Redirects, keeping usability in mind.

Full Trust Approach

App Approach

HttpModule

A HttpModule is a Full Trust interface which intercepts requests to the server and allows for processing before anything else. Typical usages are custom authentication, and redirects.

SharePoint Claims Authentication

Claims Authentication, allows you to use a custom authentication provider in order to provide custom security. While HttpModules have been used for this in the past, only Claims Authentication should be used.

Redirects, and other uses of HttpModules

Some usages in the past of a HttpModule are no longer valid. However some usages like redirections, do have work arounds still available with the newer model, using client side scripting. With the usages too varied, each particular case needs to be identified and remapped into the newer Client Side Object Model.

Impact of Full Trust Approach

Benefit of App Approach

Not available going forwards

HttpModules are not available except in Full Trust applications.

Case by Case

There being so many usages of a HttpModule (the most common being authentication and redirects), we can provide better alternatives with other Out of the Box functionality. While Claims Authentication was not available early on, it is now fully integrated into SharePoint meaning the process of configuring it is straight forward. In these cases Client Side Scripting is a better option for handling Redirects, keeping usability in mind.

Efforts and Benefits

Migration Impact	Critical
Re-Design Effort	High
Re-Development Effort	Low ~ High
Long Term Benefit	High

Effort Drivers

Not migratable
Most use cases have Out of the Box alternatives

Message Suppression

To suppress this violation in managed code add the following attribute to the method which contains the instruction (available since SPCAF version v5.2). Learn more about SuppressMessage here.

// Important: Ensure to have #define CODE_ANALYSIS at the beginning of your .cs file
[SuppressMessage("SPCAF.Rules.MigrationAssessment.AdvancedCustomizationsGroup", "SMA290120:HttpModuleRecommendations", Justification = "Provide reason for suppression here")]

SharePoint Code Analysis Framework, v6.9.1.2001

Disclaimer: The views and opinions expressed in this documentation and in SPCAF do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. SPCAF and RENCORE are registered trademarks of Rencore. All other trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.