An Internet Server Application Program Interface (ISAPI) filter is a set of Windows program calls that allow you to write a Web server application that is faster than a CGI. An ISAPI filter hooks into the IIS system and monitors certain events that occur while the client tries to read a page from our server.
The filter application sits between the network connection to the client and the HTTP server, allowing us to control the data exchange between the IIS and the client. Using it, we can enhance the server functionality and create custom features, such as advanced HTTP logging or our own encryption. The ISAPI filters are based on notifications that the IIS sends to our ISAPI filter. These notifications are actually stages that each request has to pass.
Each notification handles a different type of data. The data is relevant to each stage of the request process.
When the ISAPI filter gets a notification from the IIS, we then can manipulate the notification's data. After we have manipulated the data, we can choose whether we want the IIS to continue to process the request.
Notifications
The notifications available from the IIS server are:
OnPreprocHeaders -- Notifies the filter that the server has preprocessed the client headers. OnAuthentication -- Authenticates the client. OnUrlMap -- Notifies a filter when a server is mapping a logical URL to a physical path. OnSendRawData -- Notifies the filter before raw data is sent from the server to the client. OnReadRawData -- Notifies the filter after raw data is sent from the client to the server, but before the server processes it. OnLog -- Logs information to a server file. OnEndOfNetSession -- Notifies the filter that the session is ending.
For our example, we'll monitor the OnUrlMap notification. Since we want to capture every attempt to read JavaScript files, this is the most suitable notification. When the client attempts to access a JavaScript file (a file with the .js extension) the server will try to map the logical path to the physical path, and that's when the server will notify us. After the server notification, we'll check if the file is a JavaScript file. If so, we must see that it's not our server attempting to read the JavaScript file, but a client's. If it is a client request, then we must block it and display an "access denied" message.
The Code
The work procedure is very simple and so is the following code:
The most important step in this code is the redirect procedure. This step redirects the client to a nonexistent page and then shows him the access denied message (lines 15 to 20).
Test the Code
How to test the code:
Compile the code using the Visual C++ ISAPI Filter wizard.
Install the ISAPI filter on your IIS.
Create a JavaScript file named "jsisapi.js."
Create an HTML file linked to that JavaScript file.
Execute the HTML file. The file should work properly.
Try to access the JavaScript file directly from your browser. You should get an access denied message.
This code has been tested on IIS4/5 and compiled with Visual C++ 5/.NET.
About the Author
Itay Weinberger, a young programmer from Israel, is CEO of Joola Productions, Inc.
He specializes in Web development consulting. See
http://www.joola.co.il, or contact him at info@joola.co.il.
Built around the Microsoft CryptoAPI, AspEncrypt helps you harness all major encryption and hashing algorithms such as DES, Triple-DES, RC2, RC4, RSA, MD5 and SHA1 in just a few lines of code. The component can be used in tandem with AspEmail to send encrypted and signed mail in the industry-standard S/MIME format, or with AspUpload to encrypt files as they are being uploaded. AspEncrypt can also be used to issue and manage X.509 digital certificates.
AspPDF is an ASP/ASP.NET component which enables generation and management of documents in PDF format. Features include advanced text formatting, font embedding, form fill-in, images, tables, content and page extraction, document stitching, encryption, digital signatures, and more.
