Untitled Document

CHAPTER 21
Permission Checker Component

One of the benefits of using Microsoft’s Internet Information Server is its close
connection to Windows NT and its security model. The Permission Checker
component allows you to utilize this connection to determine whether a user on
your web site has permission to view a given file stored on an NTFS volume. This
allows you to customize your site’s pages according to the permissions granted a
given user. For example, you could use the Permission Checker component to
check whether a user has access to a certain downloadable file before creating a
link to the file. This way, if the user does not have access to the file, she does not
even see the link to it. Conceivably, you could use this strategy to prevent unauthorized
users from ever seeing any indication that files to which they do not have
access exist.
There are two requirements for using the Permission Checker component. The first
is that your site must be running on Windows NT (Personal Web Server for
Windows 95/98 will not work). Second, your web site must not rely exclusively on
anonymous connections and the (low-level) security such an access method
provides. You must have either Basic Clear Text or Windows NT Challenge
Response authentication selected as a security option for your web site. These
authentication methods provide the Permission Checker object with a security
context in which to test for various permissions. If you do not have Basic or NT
Challenge Response, the Permission Checker is unable to distinguish between one
anonymous user and another.
Note that this chapter documents the Permission Checker component
2.0 (Beta 3) that can be downloaded from Microsoft’s web site.
Instantiating the Permission Checker 359
Permission Checker
Instantiating the Permission Checker
ASP in a Nutshell: A Desktop Quick Reference, eMatter Edition
Copyright © 2000 O’Reilly & Associates, Inc. All rights reserved.
Accessory Files/Required DLL Files
permchk.dll
The dynamic link library for the Permission Checker component. This DLL
comes with the IIS installation media but is not installed by default. You must
register this DLL by hand before you can use it.
Instantiating the Permission Checker
To create an object variable containing an instance of a Permission Checker object,
use the Server object’s CreateObject method. The syntax for the CreateObject
method is as follows:
Set objMyObject = Server.CreateObject(strProgId)
where:
• objMyObject represents the name of the Permission Checker object.
• The strProgId parameter represents the programmatic ID (ProgID) for the
Permission Checker component, which is IISSample.PermissionChecker.
Example
<%
' The following code uses the CreateObject method of the
' Server object to instantiate a Permission Checker
' object on the server.
Dim objPermChkr
Set objPermChkr = _
Server.CreateObject("IISSample.PermissionChecker")
%>
For more details on the use of the CreateObject method see its documentation in
Chapter 8, Server Object.
Permission Checker Summary
Properties
None
Collections
None
Methods
HasAccess
Events
None
360 Chapter 21 – Permission Checker Component
Comments/Troubleshooting
ASP in a Nutshell: A Desktop Quick Reference, eMatter Edition
Copyright © 2000 O’Reilly & Associates, Inc. All rights reserved.
Comments/Troubleshooting
Suppose that your web site consists of several pages that must be accessible to all
users—even anonymous users. It also contains several pages that require that the
user use a specific account or be a member of a specific group. To allow for both
types of users on your site, select the Anonymous option and either the Basic
Clear Text or Windows NT Challenge Response using the Internet Information
Server Management Console. Then set the file permissions on the restricted files so
that anonymous users are forbidden access. Alternatively, you could check the
LOGON_USER element of the Request object’s ServerVariables collection and, if it’s
blank, set the Status property of the Response object to “401 Unauthorized.” This
will force the user to log on to the site using a valid username and password.
Note that Basic Clear Text authentication is by no means secure. However,
Windows NT Challenge Response, though more secure, is supported only by
Microsoft’s Internet Explorer. Also, it may not work when your users are
connecting to your site (and providing security information) through a proxy
server. In my experience, the typical result in this latter case is that you receive
two empty strings for the username and password.
Even if you exclusively use anonymous access to your site, the Permission
Checker component still has a useful purpose. In attempting to determine the
security on a given file, the Permission Checker object must determine if the file
exists. Although there are other ways to determine this information, this may be
the easiest.
Methods Reference
HasAccess
objPermChkr.HasAccess(strPath)
Determines whether the current user has access to the file specified in the
strPath argument. The return value is a Boolean.
Parameters
strPath
A string value that represents the relative path to the file to which you are
determining accessibility. This path can be a virtual or a physical path.
Example
<%
' Declare local variables.
Dim objPermChkr
Dim blnPermission
' Instantiate a Permission Checker object.
Set objPermChkr = Server.CreateObject( _
"IISSample.PermissionChecker")
HasAccess 361
Permission Checker
HasAccess
ASP in a Nutshell: A Desktop Quick Reference, eMatter Edition
Copyright © 2000 O’Reilly & Associates, Inc. All rights reserved.
' Determine whether the current user has access to the
' security page using a virtual path.
blnPermission = objPermChkr.HasAccess("/Apps/SecPage.asp")
' Determine whether the current user has access to the
' security page using a physical path.
blnPermission = objPermChkr.HasAccess( _
"c:\inetpub\wwwroot\Apps\SecPage.asp")
...[addition code]
' You can then use the results of these tests to determine
' whether or not to create a hyperlink to the restricted
' page
If blnPermission Then
%>
Congratulations, you have access to the security page.
<A HREF = "/Apps/SecPage.asp">Security Page</A>
<%
End If
%>
Notes
If the file does not exist, the call to HasAccess returns a value of False.

ASP in a Nutshell: A Desktop Quick Reference, eMatter Edition
Copyright © 2000 O’Reilly & Associates, Inc. All rights reserved.
PART IV
Appendixes
The appendixes treat such diverse topics as migrating from CGI to
WinCGI to ASP, configuring IIS for ASP applications, and running ASP
applications on web servers other than Microsoft’s Internet Information
Server. The appendixes consist of the following:
Appendix A, Converting CGI/WinCGI Applications into ASP
Applications
Appendix B, ASP on Alternative Platforms
Appendix C, Configuration of ASP Applications on IIS

365
CGI/WinCGI
to
ASP
ASP in a Nutshell: A Desktop Quick Reference, eMatter Edition
Copyright © 2000 O’Reilly & Associates, Inc. All rights reserved.
me page is a drop box that
allows the user of your PWS web site to send you a
personal message. The Messages property of the
MyInfo component is a string that reflects whether or
not this Messages form should appear on your home
page. The value is “” by default (before you build your
web page using the wizard), –1 if you have chosen to
have the Messages form, and 0 if you have chosen not
to have the Messages form.
OrganizationAddress A string representing the address of the web site’s
organization.
OrganizationName A string representing the name of the web site’s organization.
OrganizationPhone A string representing the phone number of the web
site’s organization.
OrganizationWords Any additional text associated with the web site’s organization.
PageType This property is also a reflection of information you
choose through the use of the Personal Web Server
Home Page Wizard. However, it is from the older
version (3.0) of PWS and is not the Home Page wizard
for PWS 4.0. This property’s value is a number that
represents whether the current site is (1) About My
Company, (2) About My Life, (3) About My School, (4)
About My Organization, or (5) About My Community.
PersonalAddress* A string representing the address of the web site’s
owner.
PersonalMail* The email address of the web site’s owner.
PersonalName* A string representing the name of the web site owner.
PersonalPhone* A string representing the phone number of the web
site’s owner.
PersonalWords* The additional text associated with the web site’s
owner.
SchoolAddress The address of the web site’s school.
SchoolDepartment The department of the web site’s school.
SchoolName A string representing the name of the web site’s
school.
SchoolPhone The phone number of the web site’s school.
SchoolWords A string representing any additional text associated
with the web site’s school.
Style A string representing the relative URL of a style sheet
for the web site.
Table 19-1: Property Name and Description (continued)
Property Name Description
352 Chapter 19 – MyInfo Component
[All Properties]
ASP in a Nutshell: A Desktop Quick Reference, eMatter Edition
Copyright © 2000 O’Reilly & Associates, Inc. All rights reserved.
strPropertyValue
A string that represents the new value for a given property. If the property
name does not exist, it is created and initialized with the value of
strPropertyValue.
Example
The following example code demonstrates both the instantiation of a MyInfo
object and its use. First, a MyInfo object named appMyInfo is instantiated in
GLOBAL.ASA:
[FROM GLOBAL.ASA]
<%
' Declare local variables.
Dim appMyInfo
' Instantiate a MyInfo object with application-level scope.
Set Application("appMyInfo") = _
Server.CreateObject("MSWC.MyInfo")
...[additional code]
%>
The following is from elsewhere in the ASP application and shows how to assign
values to and retrieve values from the MyInfo object:
<%
' You can set the default values.
Application("appMyInfo").PersonalName = _
"A. Keyton Weissinger"
' You can also create (or set) new values.
Application("appMyInfo").MyNewProp = _
"Custom Property Value"
...[additional code]
' Now you can use these values as you would any other
' application-level values.
%>
The value of the PersonalName property is
<%= Application("appMyInfo").PersonalName %><BR>
Title A string representing the user-defined title for the
home page.
URL(N) A string representing the Nth user-defined URL. This
collection allows you to store multiple user-defined
URLs for easy access.
URLWords(N) A string representing the description of the Nth userdefined
URL. This collection allows you to store the
descriptions for the URLs in the URL collection.
Table 19-1: Property Name and Description (continued)
Property Name Description
[All Properties] 353
MyInfo
[All Properties]
ASP in a Nutshell: A Desktop Quick Reference, eMatter Edition
Copyright © 2000 O’Reilly & Associates, Inc. All rights reserved.
The value of the MyNewProp property is
<%= Application("appMyInfo").MyNewProp %><BR>
Notes
The only properties whose values are in any way unusual are the URL and
URLWords collections. These allow you to create a collection of URLs for later use
in your site. The following demonstrates the use of these properties:
<%
' Set the URL for the first URL in the collection.
Application("appMyInfo").URL(1) = _
"/Apps/HomeDir/Home.asp"
' Set the description for the first URL in the
' collection.
Application("appMyInfo").URLWords(1) = _
"My Site's Home Page"
.
.
.
' Now you can use these values to create a link (with a
' descriptive name) to a particular URL.
%>
<A HREF = "Application("appMyInfo").URL(1)">
<%=Application("appMyInfo").URLWords(1)%>
</A>
354
ASP in a Nutshell: A Desktop Quick Reference, eMatter Edition
Copyright © 2000 O’Reilly & Associates, Inc. All rights reserved.
ibe s