Adding a module mapping
It's important to know the difference between modules and handlers. A module processes every request, no matter what the user is requesting. A handler works with specific files. For example, you can add an authentication module to the server, Web site, or folder that authenticates all incoming requests. The type of request doesn't matter - the module always performs the authentication. A module mapping performs the additional task of mapping specific files to a module. Before you can use this feature, you must first create the module entry. The "Configuring modules" section of this tutorial describes how to work with modules in detail.
Module mappings tend to refine how a module works rather than determine the handling of a particular file. For example, select the OPTIONSVerbHandler entry in the list and click Edit. You see that the module mapping uses the * path to check all requests. The module type is ProtocolSupportModule. If you don't go any further, you never see why this mapping is necessary. Click Request Restrictions and choose the Verbs tab. The reason for the mapping becomes clear at this point. The only verb that this mapping reacts to is the OPTIONS verb. The selection of verb refines how the module works, in this case, rather than determines which file the module handles. The following steps describe how to add a module mapping:
- Select the level you want to change in the Connections pane.
- Double-click Handler Mappings.
You see the Handler Mappings window.
- Click Add Module Mapping in the Actions pane.
You see the Add Module Mapping dialog box.
- Type the new path in the Request Path field.
- Choose the module you want to use from the list in the Module field.
- Provide a human-readable name for the handler in the Name field.
- (Optional) Click Request Restrictions to configure the handler restrictions.
See the "Changing handler restrictions" section of this tutorial for details.
- Click OK.
IIS adds the new handler to the list.
Editing handler settings
Whenever you need to modify the settings for a handler, choose the handler from the list and click Edit. IIS automatically opens the correct editor (managed handler, script map, or module mapping) to edit the handler settings. After you complete the changes, click OK and IIS automatically implements them.
IIS allows you to rename only handlers that you add. The default handler names are permanent. To rename a handler, highlight the handler you want to change and click Rename. IIS turns the handler name into an edit box where you can type a new name. Press Enter when you finish changing the name, to make the name permanent.
In most cases, you remove only handlers that you added to IIS. Removing default handlers can cause problems for the server. When you need to remove a handler, choose the handler from the list and click Remove. IIS asks whether you're sure that you want to remove the handle. Click Yes. The handler becomes unavailable for use immediately.
Changing handler restrictions
No matter which type of managed handler, script map, or module mapping you create, you can restrict how the entry works by adding a restriction to it. A restriction affects the entry in three ways:
- Mapping: Determines the request level of the entry. You can choose files or folders or both. The unselected, or default, setting is Both. When the user requests a file, the entry must have the file mapping level selected in order to react to the request and provide a response. Some entries react only to files, such as the ASPClassic script map.
- Verb: Determines the action the request is making. A verb defines some type of action, such as getting a Web page or deleting a file. Limiting the number of verbs that an entry supports can have security and performance implications. The more verbs an entry supports, the greater the performance hit and the more likely it is that someone will break into the system using a flaw in the entry code.
- Access: Determines the precise level of access given to the selected handler. You can choose between None, Read, Write (which implies Read as well), Script, and Execute. Each level you move up in the list gives the handler additional rights.
IIS supports a number of verbs. These verbs describe the kind of request that the client is making. For example, the client may want to GET the specified resource, which is normally a file. The number of verbs available to you depends on the applications you have installed and the capabilities of the handlers you provide. The most common verbs include:
GET HEAD POST DEBUG TRACE PUT DELETE CONNECT OPTIONS
These nine verbs appear as part of the HTTP 1.1 standard found in RFC 2616 (http://www.faqs.org/rfcs/rfc2616.html). However, this is just the tip of the verb iceberg. For example, if you're working with Web Document Authoring and Versioning (WebDAV), you also have WebDAV verbs, such as PROPFIND and MOVE, available to you. The article "Distributed Authoring and Versioning Extensions for HTTP Enable Team Authoring" at http://www.microsoft.com/msj/0699/dav/dav.aspx provides a better description of the WebDAV verbs.
Warning: Many verbs have known security issues. In fact, these issues have been around since IIS 4.0. Limit the verbs you use to just those that the user requires. For example, rather than provide all the verbs when a user needs to see only a static page, support GET alone. As another example, when a user needs to upload a form to your Web site, allow only the PUT verb, not the other verbs that IIS supports. Support the DELETE verb only when you truly want the user to delete files on your server.
To change the restrictions for an entry, click the Request Restrictions button in any dialog box that supports it. You see the Request Restrictions dialog box. You can select the Mapping, Verbs, and Access tabs as needed to add restrictions to the handler. Click OK twice and IIS makes the required changes to the entry's restrictions.