Understanding Permissions for FileUp
on the Web Server (ASP)

---

In the process of uploading a file with FileUp, your web application will be performing some basic file system tasks such as caching, saving and renaming that require you to understand NTFS permissions.

Understanding How FileUp Works

When an upload request is received on the server, FileUp has two responsibilities that may require interaction with the server's file system:

• Caching the request to either the file system or to memory, so that it can parsed for form elements and files.
• Providing a final destination for the files, either to the file system or to a database

In order to parse through an upload request, FileUp must be able to cache the request, either to disk or memory. Caching the upload request to disk requires "Read", "Write" and "Modify" NTFS permissions on the caching directory. Later, when FileUp is instructed to save the file, these same permissions are required on the directory to which the files will be saved.

When and where does the upload get cached?

In ASP

FileUp will cache the upload request as soon as any element of the upload request, such as a file or a form element, is called in the script. At that point, FileUp will check to see if its Path property has been populated. If it has, it will cache the upload request to this directory. Setting the path property before referencing any files or form elements is considered "best practice"; however, if the Path property has not yet been set to a valid path, FileUp will check the web server’s system TEMP variableand attempt to cache the upload request there.

The exception to this case is when the UseMemory property of FileUp is set to "true". The default value of UseMemory is "false", meaning the upload will cache to disk. If UseMemory is set to "true", FileUp will not cache to disk, but will instead cache to memory. Caching to memory requires neither a directory nor NTFS permissions. You will still however, need to understand how to set NTFS permissions on the directory to which the upload is finally saved, if you call “Save�? or “SaveAs�? on an uploaded file.

In the following code sample, you can see that following best practice, on Line 9, the Path property is set immediately after instantiating FileUp. By setting this property immediately after instantiating FileUp, you can be assured that FileUp will cache to the directory specified in the Path property. FileUp is forced to cache the upload when the first form element is accessed, at line 11, and because the path property has been set already, FileUp will cache to “C:\MyCachingDirectory�?.

Line 1:	'--- Declarations
Line 2:	Dim oFileUp
Line 3:	'--- Instantiate the FileUp object
Line 4:	Set oFileUp = Server.CreateObject("SoftArtisans.FileUp")
Line 5:	'--- Set the Path property to the location you wish to
Line 6:	'--- temporarily cache the incoming file before saving
Line 7:	'--- Note: This property should be set immediately after
Line 8:	'--- instantiating the FileUp object
Line 9:	oFileUp.Path = “C:\MyCachingDirectory�?
Line10:	'--- Confirm that the control “myFile1�? is a file input control
Line11:	If IsObject(oFileUp.Form("myFile1")) Then

When and where does the upload get saved?

If the Path property has been set to a valid directory, when the Savemethod is called on any file, the final saving directory will be taken from the Path property. If SaveAs is used in conjunction with a new directory path, that directory will be used instead. Should the Save method be called without having specified a path, FileUp will attempt to save the file(s) to the directory specified in the system TEMP variable.

Under what identity does FileUp run? To whom are the NTFS permissions granted?

NTFS permissions need to be granted to users or groups. You will therefore need to understand what identity FileUp assumes.

The default behavior of any object running in a web page is to assume the identity of the web application. Because you must be certain of the identity of FileUp in order to correctly set NTFS permissions, some less commonly used means of changing the identity of FileUp have been listed as well.

1. FileUp executes under the same identity as your web application.
   This is the most common scenario. FileUp will assume the identity that is set for your web application. The default identity is the local IUSR account.
1. SoftArtisans FileManager can be used to change identity of FileUp within the ASP code in a LogOnUser /RevertToSelf block.
   If caching or saving occurs within this block, FileUp will assume the identity specified in the LogOnUser method.
1. COM+ can be used to specify the identity of the FileUp dll. If FileUp is installed in COM+ as a server package with a specified identity, this identity will be used. This takes priority over any web application settings or the use of FileManager's LogOnUser method.

How to Determine or Set Identity

Check the Identity of Your Web Application in IIS.

1. Locate your web application in IIS.
2. Right-click on the application directory, choose "properties".
3. Select the "Directory Security" tab.
4. In the section "Anonymous access and authentication control", click on the "edit" button. This tab lets you know what your current settings are for your application.
   

   • Anonymous Access
     If this box is checked, it means that all users will have anonymous access to your web application. This means that there is no authentication required and your web application will run as the user specified in the User Name text box.

     This dialog shows the username and password of the account used by your web application when anonymous access is granted. The default account is the IUSR account, "IUSR_[machine_name]" and the password is controlled by IIS. The IUSR account is a local account and a member of the group "guests". This account can be changed, but this has implications outside the scope of this tutorial. If you do decide to change this account, consult the documentation for IIS to determine what other actions need to be taken (for example, granting the right to “Log on locally�? to the new user account).

     Assuming that you do not change this account, the IUSR account is the account to which you must grant the appropriate NTFS permissions when FileUp is assuming the identity of your web application.

   • Basic Authentication/Digest Authentication
     If this box is checked, the user is prompted for a username and password when they access the site. If the username and password match an account recognized by the web server, then the user is granted access and the web application runs as that user's identity. In this situation that particular user, or a group to which this user belongs, must be given the "Read", "Write" and "Modify" permissions on the directory to which FileUp will cache or save.
   • Integrated Windows Authentication
     Checking this box assumes that the client will be on the same windows domain as the web server, which may be the case for an intranet application. The browser will pass the NT login credentials from the client machine to the web server for authentication. The web application will then run as this domain user. Integrated Windows Authentication only allows you to cache or save files to the web server. You will not be able to pass on the NT login credentials to another server, which is the case when you attempt to cache or save files to a network share. (For more information on saving files to a network share, please see Uploading to a Network Share .)

Change the identity of FileUp by using FileManager.

FileManager is distributed with FileUp. By calling FileManager’s LogOnUserand RevertToSelf methods, you can change FileUp’s identity within the ASP or ASP.NET script, without changing the identity of the entire web application in IIS. To be certain of FileUp’s identity, you should check your code for calls to FileManager’s LogOnUser/RevertToSelf methods. For more information on using LogOnUser/RevertToSelf, please see the FileManager Programmer's Reference

Confirm identity by using FileManager.

With any of these web application or page level means of setting identity (in IIS, in script with FileManager), you can confirm your understanding of the identity assumed by your web application by using SoftArtisans FileManager to report the identity with the CurrentUser property. For more information on the CurrentUserproperty and a code snippet, please see the FileManager Programmer's Reference.

Set FileUp's identity at the dll level with a COM+ server package installation.

Change the identity of FileUp by installing FileUp in COM+ as a server package with a specified identity. If FileUp is installed in COM+ as a server package, an identity can be specified. When the FileUp web application runs, it will run as the identity specified in IIS, but FileUp itself will run as the user specified in COM+. Because the identity is changing in the COM+ layer and not in the web application layer, tools such as FileManager’s CurrentUser property will not be able to report this identity switch. When troubleshooting identity problems, you will want to open the COM+ manager to see if FileUp’s identity is being changed by having been installed as a server package that runs as a specific account.

1. Open the control panel
2. Open “Administrative Tools�?
3. Open “Component Services�?
4. In Component Services, navigate to the “computers�? folder.
5. Under the “computers folder�?, navigate to the “COM+�? folder
6. Under the COM+ folder look for a package named “SA-FileUp�?.
7. If the “SA-FileUp�? package exists, FileUp has been installed in COM+. Next, check to see if it is installed as a server or library package.
8. Right-click on the package and choose “properties�?.
9. In the properties dialog, choose the “Activation�? tab. The Activation type will be either “library�? or “server�?.
10. If FileUp is installed as “library�? package, FileUp will assume the identity of the web application when it is run. If FileUp is installed as a server package, it is possible to specify a different identity for FileUp, regardless of web application settings. To check for a specified identity, select the “Identity�? tab.
11. If an identity is specified, you will need to grant NTFS permissions on your caching and saving directories for this identity, even if the web application is set to a different identity.
12. If the package is set to run as the “current logged on user�? then FileUp will continue to run as the identity specified for the web application in IIS.

Setting NTFS Permissions

Once both the identity of FileUp and the caching/saving locations have been determined, NTFS permissions can be set.

1. Open Windows Explorer and navigate to the directories to which you will be instructing FileUp to cache or save.
2. Right-click on the directory, choose “Properties�?.
3. From the Properties dialog, choose the “Security�? tab.
4. On the Security tab, you will see a list of users. Check to see if the identity FileUp will be running as is listed here.
5. If the user is not listed, you will need to add the user, by clicking the “Add�? button.
6. In the dialog to select users or groups, select the user that FileUp will be running as. For example, if you are using anonymous authentication with the default anonymous user account, select the local machine domain to obtain a list of local users, then select the user named “IUSR_[machine_name]�?. Click OK to return to the “Security�? dialog.
7. Select the user that you just added to the security list. With this user selected, now set the following permissions: “Allow�? on “Read�?, “Write�? and “Modify�?.
8. If the permissions cannot be changed, check to see if the “Allow inheritable permissions�? check box is selected. If it is, you will need to uncheck it in order to be able to change the permissions on this directory. You will want to make a note of the inherited permissions, as removing them may affect other applications. You will be prompted to either completely remove the inherited permissions or to copy the existing permissions. If you are uncertain of which action to take, copy the existing permissions and then add your FileUp user permissions in addition to your existing permissions.
9. Click OK to apply and save your changes. Repeat this process for each directory to which FileUp requires access due to caching or saving activity.

Summary for setting appropriate permissions for FileUp in ASP

1. Determine the identity of your web application.
2. Determine the location where FileUp will cache the upload and provide "Read", "Write" and "Modify" NTFS permissions to this directory for your application identity.
3. Determine the location where FileUp will save the upload and provide "Read", "Write and "Modify" NTFS permissions to this directory for you application identity.

Copyright © 2010 SoftArtisans, Inc. All rights reserved.