Pro ASP.NET 2.0 In CSharp 2005 (2005) [eng]

Is there any reason you should explicitly change an ASP.NET file mapping? Probably not. If you have multiple versions of ASP.NET installed at one time, you may want to configure the mappings differently in different directories. That way, each website can use the version of ASP.NET that it was compiled with. However, there’s no reason to make this sort of change by hand. Instead, you can use the aspnet_regiis.exe command-line utility.

In other cases, you might want to add a file mapping. For example, you could specify that the ASP.NET service will handle any requests for GIF images by adding a mapping for the .gif file type that points to the aspnet_isapi.dll file. This would allow you to use ASP.NET security services for GIF file requests. (Note that this sort of change can slow down performance for GIF requests, because these requests will need to trickle through more layers on the server.)

■Caution You should never remove any of the ASP.NET file type mappings! If you remove the .aspx or .asmx file types, web pages and web services won’t work. Instead of being processed by the ASP.NET service, the raw file will be sent directly to the browser. If you remove other files types such as .vb or .config, you’ll compromise security. ASP.NET will no longer process requests for these types of files, which means that malicious users will be able to request them through IIS and inspect the code and configuration information for your web application.

More About Filename Extensions

In many cases it’s useful to map your own file extensions to the ASP.NET runtime so that these file extensions are processed by ASP.NET (or, more exactly, your web application). For this purpose, you have to perform the following steps:

1.Use the IIS management console to map your filename extension to the appropriate version of the ASP.NET ISAPI DLL, as described earlier in this chapter.

2.Create a custom HTTP handler in your solution. A HTTP handler is a class that implements the IHttpHandler interface. The handler implements just one simple method called ProcessRequest. Within this method you add code for processing the request with the previously specified filename extension. In this way, for example, you can include code that reads a JPG image from a database instead of the file system. You can furthermore include functionality for caching the images or any type of information using the ASP.NET cache.

3.Configure the HTTP handler in the application’s web.config file so that the ASP.NET runtime knows that a file extension has to be processed with the previously created HTTP handler.

In Chapter 22 you will learn about the details for mapping filename extensions to the ASP.NET runtime and creating an HTTP handler when it comes to securing custom filename extensions through the ASP.NET runtime.

Documents

This tab allows you to specify the default documents for a virtual directory. For example, consider the virtual directory http://localhost/MySite. A user can request a specific page in this directory using a URL such as http://localhost/MySite/MyPage1.aspx. But what happens if the user simply types http://localhost/MySite into a web browser?

In this case, IIS will examine the list of default documents defined for that virtual directory. It will scan the list from top to bottom and return the first matching page. Using the list in Figure 18-13, IIS will check first for a Default.htm file and then for Default.asp, index.htm, iisstart.asp, and Default.aspx. If none of these pages is found, IIS will return the HTTP 404 (page not found) error.

Managing Application Pools in IIS 6.0

Through application pools you can configure the number of worker processes launched by IIS as well as more configuration details for these processes. For every application pool configured in IIS Manager, the web server starts at least one worker process. In every worker process, multiple applications of any type—from ISAPI DLLs to classic ASP and of course ASP.NET—can be hosted. For the purpose of managing the application pool, IIS 6.0 Manager includes a new configuration node (refer to Figure 18-6).

In this section, you will learn about some of the details of creating and configuring application pools with the new IIS management console of Windows Server 2003.

■Note The IIS management console has always had the capability of managing web servers on remote machines. You just had to add the server in IIS Manager to the root node, and then you were able to configure this remote machine. Of course, if you are using Windows XP running IIS 5.x, the IIS management console doesn’t know about application pools; therefore, you can’t manage them from Windows XP machines. For that purpose, Microsoft offers a tool called IIS 6.0 Manager for Windows XP on the Microsoft downloads page, which can be installed on Windows XP machines for administering IIS 6.0 instances (http://www.microsoft.com/ downloads/details.aspx?FamilyID=f9c1fb79-c903-4842-9f6c-9db93643fdb7&DisplayLang=en).

Creating Application Pools

As you have seen already, the IIS 6.0 Manager displays application pools in a separate configuration node. A default installation consists of one application pool called the DefaultAppPool. This application pool runs as a network service, and every web application in the default website is configured to run in this application pool.

You may want to create additional application pools for other applications on a web server for several reasons:

Stability problems: Maybe you want to run older applications with some stability problems in a separate application pool so that these problems don’t affect other applications.

Memory leaks: A resource-intensive application or an old application with a memory leak is a good candidate for regular recycling. In this case, you can create a separate pool and configure process recycling. Applications running in other pools are not affected by these settings.

Security: Security configuration might be another reason for encapsulating applications in separate pools. For example, if you have web applications that require specific permissions (such as accessing only specific SQL Server databases or the Windows certificate store), you can create your own Windows user having the necessary permissions, configure a new application pool with this user, and then run web applications that require only these specific permissions in this pool. All the other applications in other application pools still run under the low-privileged Network Service account.

Administration: In web hosting scenarios you can isolate administrative applications as well as applications for different customers (or groups of customers) through application pools; this way, web applications from one customer don’t have access to resources such as databases or the file system of other customers’ applications because of the permissions for a configured application pool identity.

As you can see, several useful scenarios exist for creating separate application pools for different applications or groups of applications. Application pools (worker processes) provide you with a mechanism for isolating these applications based on different criteria such as security or reliability.

642 C H A P T E R 1 8 ■ W E B S I T E D E P L OY M E N T

■Caution Recycling an application pool (worker process) basically means stopping the old process and starting a new instance of a worker process for the application pool. Therefore, any data stored in the process space of the worker process is lost when the pool is recycled. That said, an application needs to be “designed” for recycling, or recycling should take place at a time where traffic on the website is not heavy. Designing applications for recycling involves the same steps as designing an application for a web farm; using external session state, for example, is one of the key needs for preparing an application for recycling because usually session state is stored in the process space of the worker process. Fortunately, ASP.NET comes with a mechanism for externalizing session state and storing session data either in an external state server process or in SQL Server. In that case, session state is not lost if a process is recycled (or in the case of the web farm the request is processed by another server in the farm).

You can create applications pools just by double-clicking the Application Pools node (or an existing application pool) and selecting New Application Pool from the context menu, as demonstrated in Figure 18-15.

Figure 18-15. First step for creating an application pool

You can create an application pool either with the Add New Application Pool dialog box or through a previously exported XML configuration file (created by selecting All Tasks Save Configuration to a File from the context menu shown in Figure 18-15). When selecting the first option (just a new application pool), then you have two possibilities, as shown in Figure 18-16.

You can create the application pool with a set of default settings defined by IIS, or you can create the pool based on the settings already present in another application pool. As soon as you have created the application pool, you will see it in the list of application pools, and you can configure it by right-clicking it and selecting Properties from the context menu, as shown in Figure 18-17.

Figure 18-16. Creating a new application pool

Figure 18-17. The properties of an application pool

Basically, you can create as many application pools as you want; IIS doesn’t know any limits— theoretically. Of course, every process needs a basic set of resources; therefore, the number of processes is limited by the resources of the web server machine.

644 C H A P T E R 1 8 ■ W E B S I T E D E P L OY M E N T

Application Pools and Web Applications

Once you have created an application pool, you can run web applications within this pool. As mentioned previously, isolating web applications takes place through application pools now; therefore, when configuring virtual directories and websites, the application pool setting replaces the old Isolation Mode setting introduced with IIS 5.x, as you can see in Figure 18-18.

Figure 18-18. Configuring the application pool

For configuring an application pool, just right-click the virtual directory for which you want to configure the application pool and then change the setting to the pool you want the application to run in.

You don’t need to restart anything—neither the web server nor the application pool itself. The application runs in the new pool from the moment you click the OK or Apply button.

Custom Application Pool Identities

As previously mentioned, one of the useful isolation strategies you can implement with application pools is security. For every application with special security permissions, you can create a separate Windows user having those permissions and configure an application pool with this Windows user as an identity. Then only applications that require these permissions will be put into this application pool.

■Tip By the way, application pools are a perfect way to use Windows authentication when connecting to SQL Server. This is more secure than SQL authentication, as you don’t have to store user names and passwords in your web.config file. Also, it uses Kerberos if a KDC (in terms of Windows, an Active Directory with a primary domain controller) is in place. You just create a new Windows user, configure the application pool with the user, add the user to the SQL Server database the application needs to access, and then configure the application to run in this application pool. Applications running in other pools then don’t have access to the database (except you configure them with the same identity or add the identity of another pool to the SQL Server database’s users).

You can configure the identity for every application pool by just right-clicking the pool in the IIS management console, selecting Properties, and then going to the Identity tab of the property page, as demonstrated in Figure 18-19.

Figure 18-19. Configuring the application pool identity

In this dialog box, you basically have two options: the first one is selecting from a couple of predefined accounts, and the second one is selecting your own user account by specifying the Windows user name and password for this account.

■Note IIS uses the same mechanism for storing these credentials as the Windows Service Control Manager does. It encrypts the credentials using the data protection API (DPAPI) of the system with a private key from the operating system and stores the encryption version in the metabase. Of course, this system’s private key is accessible only when you have access to the local machine and the appropriate permissions on the machine.

When you open the properties for this group, you will see that Network Service itself is a member of this group and therefore gets all the necessary permissions to be used as the identity for application pools. The group grants the user special permissions such as the permission for running as a service process in background. It also grants access to the necessary directories such as the temporary ASP.NET files stored in c:\WINDOWS\Microsoft.NET\Framework\[Version]\Temporary ASP.NET Files, where ASP.NET stores the dynamically compiled version of the different pages.

■Caution When configuring the identity for an application pool, you need to restart the pool. That’s because every process runs under a valid identity; therefore, the identity must be known at the point of time when the process is started. Changing application pool configuration doesn’t restart the application pool; therefore, it still runs under the old identity until it gets restarted. So, you have to restart the process so it starts under the newly configured account.

If your application needs access to any other directory granted by IIS_WPG, you must grant access to the identity configured for the application pool explicitly. You even have to grant access to the file system directories where the files of your web application itself are located. Otherwise, the application pool will not be able to access these files, and therefore the application won’t work. But basically that’s it: adding the user to IIS_WPG, granting access to resources necessary for your application (your file system directories or anything else your application tries to access), and configuring the application pool with the identity are the only steps necessary.

■Tip If your application calls complex web services or uses the XmlSerializer class, it might need access to the c:\WINDOWS\TEMP directory as well because the serializer stores dynamically created assemblies for serialization and deserialization in this directory. Therefore, if your web application crashes with an “access denied” exception when calling web services or serializing/deserializing XML documents, just verify whether the application pool’s identity has access to this directory.

Deploying Your ASP.NET Applications

Deploying ASP.NET web applications is usually nothing more than copying the directory structure of your application to the target machine and configuring the environment. For simple applications, that’s almost always true. But if your application uses databases or accesses other resources, you have to perform some additional steps. Here are some common factors that will require additional configuration steps:

Copy all required application files to the target machine: You don’t need to do anything else. But if you are using global assemblies accessed through the GAC, you have to verify whether these assemblies are in place. If not, you have to install them using the gacutil.exe commandline utility of the .NET Framework.

Create and configure the database for the application: It’s important to not only create the database and its tables but to configure the database server logins and database users. Don’t forget that if you are using integrated authentication for connecting to a SQL Server database, you must configure the account under which ASP.NET is executed (the application pool account or aspnet_wp.exe account) as a user for the application’s database.

Configure IIS as required for the application: Therefore, create necessary application pools, share the application directory as a virtual directory, and configure the virtual directory appropriately.