How is this code in FormsAuthenticationModule supposed to work?

Question

I'm reading .NET4 sources (they can be downloaded for research freely) and I found something strange in the implementation of System.Web.Security.FormsAuthenticationModule.

The class is declared like this:

public sealed class FormsAuthenticationModule : IHttpModule

where IHttpModule has two methods - Init() and Dispose().

Inside OnEnter() there're these lines:

// Step 2: Call OnAuthenticate virtual method to create 
//    an IPrincipal for this request
OnAuthenticate( new FormsAuthenticationEventArgs(context) );

where OnAuthenticate() is declared like this:

// OnAuthenticate: Forms Authentication modules can override 
//             this method to create a Forms IPrincipal object from
//             a WindowsIdentity 
private void OnAuthenticate(FormsAuthenticationEventArgs e) {

Now the class is sealed, so it's impossible to inherit from. Also OnAuthenticate() is not virtual so I don't see how it could have been overridden anyway.

So it looks like these comments are just outdated and overriding OnAuthenticate() is no longer possible.

Did I get anything wrong? Could this code possibly allow overriding OnAuthenticate()?

Answer 1

It doesn't work. It's simply incorrect documentation. Not a first for MS. For example, I notified MS about this back in version 1.1 of the .NET Framework and here we are at 4.5 and there documentation is still totally misleading: http://msdn.microsoft.com/en-us/library/7he0a7s1.aspx

Notice the "Notes to Inheritors" section. How is someone supposed to derive a class from BindingManagerBase when it contains several internal abstract properties and methods? And yet there are several places in the documentation for BindingManagerBase and CurrencyManager that have "Notes to Inheritors"...