The SupportsIsInRole and IsInRole methods return FALSE and E_NOTIMPL, respectively, from the default implementation. Therefore, use the handle that is returned from either the GetImpersonationToken or GetPrimaryToken method for role-based authorization.
IHttpUser implementers are responsible for resource management with this data; therefore, IHttpUser clients must not call CloseHandle on the returned handle when this data is no longer needed. Furthermore, clients must not change the state of the memory referenced by this handle, because an access violation will be thrown or the data will become invalid.
The following code example demonstrates how to create an HTTP module that clears the response headers and body and then returns user information to the client as an XML document.