代码中，调用IsUserAllowedToFile方法判断当前用户是否允许访问请求的文件。如果不允许访问，则设置返回状态为401（认证失败）并记录错误信息，结束本次请求。需要说明的是，IsUserAllowedToFile只验证Windows用户。如果是其他用户，则不需要File验证。

9. AnonymousIdentificationModule

     所在管道步骤：AuthorizeRequest。AnonymousIdentificationModule的Init把OnEnter方法注册到AuthorizeRequest管道步骤上。OnEnter代码如下：

private void OnEnter(object source, EventArgs eventArgs) { if (!s_Initialized) //从配置文件中读取anonymousIdentification节点配置 Initialize(); if (s_Enabled) { isAuthenticated = context.Request.IsAuthenticated; if (isAuthenticated) flag2 = CookielessHelperClass.UseCookieless(context, flag2 = CookielessHelperClass.UseCookieless(context, true, s_CookieMode); //true表示不适用cookie ((s_RequireSSL && !context.Request.IsSecureConnection) && !flag2) { if (context.Request.Cookies[s_CookieName] != null) { //重新设置Cookie，并且设置过期时间为已过期，0x7cf表示1999年。 cookie = new HttpCookie(s_CookieName, string.Empty) { HttpOnly = true, Path = s_CookiePath, Secure = s_RequireSSL }; cookie.Expires = new DateTime(0x7cf, 10, 12); context.Response.Cookies.Add(cookie); } } { if (!flag2) { cookie = context.Request.Cookies[s_CookieName]; if (cookie != null) { cookieValue = cookie.Value; cookie.Path = s_CookiePath; cookie.Domain = s_Domain; } } else { cookieValue = context.CookielessHelper.GetCookieValue(); } decodedValue = GetDecodedValue(cookieValue); if ((decodedValue != null) && (decodedValue.AnonymousId != null)) { context.Request.AnonymousID = decodedValue.AnonymousId; } if (!isAuthenticated) { (context.Request.AnonymousID == null) { if (this._CreateNewIdEventHandler != null) { AnonymousIdentificationEventArgs e = new AnonymousIdentificationEventArgs(context); this._CreateNewIdEventHandler(this, e); context.Request.AnonymousID = e.AnonymousID; } flag = true; } DateTime utcNow = DateTime.UtcNow; (!flag && s_SlidingExpiration) { if ((decodedValue == null) || (decodedValue.ExpireDate < utcNow)) { flag = true; } else { TimeSpan span = (TimeSpan)(decodedValue.ExpireDate - utcNow); if (span.TotalSeconds < ((s_CookieTimeout * 60) / 2)) { flag = true; } } } (flag) { DateTime dt = utcNow.AddMinutes((double)s_CookieTimeout); cookieValue = GetEncodedValue(new AnonymousIdData(context.Request.AnonymousID, dt)); if (!flag2) { cookie = new HttpCookie(s_CookieName, cookieValue) { HttpOnly = true, Expires = dt, Path = s_CookiePath, Secure = s_RequireSSL }; if (s_Domain != null) { cookie.Domain = s_Domain; } context.Response.Cookies.Add(cookie); } else { context.CookielessHelper.SetCookieValue(, cookieValue); context.Response.Redirect(context.Request.RawUrl); } } } } }

    首先调用Initialize方法从配置文件中读取anonymousIdentification节点配置信息，例如我们在Web.Config中配置：  

<anonymousIdentification enabled=cookieName=cookiePath= cookieTimeout=cookieRequireSSL=cookieSlidingExpiration=/>

     Initialize方法把这些配置读取到AnonymousIdentificationModule实体中。如果匿名身份需要SSL认证并且当前连接不是安全连接，则直接把Cookie设置为已过期并返回到Response中。如果不需要SSL认证，则根据配置信息以及过期周期更新匿名Cookie的AnonymousID以及过期时间，最后把更新的Cookie返回到Response.Cookie中。

10. UrlMappingsModule

    所在管道步骤：BeginRequest。UrlMappingsModule的Init做了两件事，一是从配置文件中读取urlMappings 节点配置，下面就是Web.cofnig中配置实例：

<urlMappings enabled=> <add url=mappedUrl=/> </urlMappings>