Web sites benefit from users directly uploading files, such as expense reports, Microsoft Word files, and executables. Enabling users to directly upload documents gives Web masters more time to concentrate on other tasks. To provide users with uploading functionality, Microsoft created Posting Acceptor and included it in Site Server Express 2.0 in the Windows NT 4.0 Option Pack. Posting Acceptor accepts content posted from a browser or other clients conforming to the rules outlined in Request for Comments (RFC) 1867: "Form-based File Upload in HTML." Posting Acceptor also supports posting from Microsoft's WebPost API-based client code.
Microsoft updated Posting Acceptor and included the new version in Site Server Express 3.0. In this article, I configure the updated Posting Acceptor and show you how to manage it with Microsoft Internet Information Server (IIS) 4.0 and NT Server 4.0.
Install the Update
You must have the Option Pack installed before you can install Site Server Express 3.0. You can obtain Site Server Express 3.0 from NT Service Pack 4 (SP4) by opening the service pack's installation page and selecting Site Server Express 3.0. You can also download Site Server Express 3.0 from http://www.microsoft.com/ ntserver/nts/downloads/ management/ siteserver.
During installation, Site Server Express 3.0 places certain Posting Acceptor files into the INetPub\Scripts folder and other files in the C:\ProgramFiles\ Microsoft Site Server Express folder. Table 1 describes the key Posting Acceptor files. The installation process also creates the Sites and SiteServer Web sites.
The Sites Web site resides at C:\Program Files\ Microsoft Site Server Express\Sites. When people use Posting Acceptor to upload files, Site Server Express 3.0 uses Sites as the default upload site. This site contains a subdirectory tree for each server and subdirectories within each tree for each user. Posting Acceptor uses this site to separate uploaded files.
The SiteServer Web site resides at C:\Program Files\Microsoft Site Server Express\SiteServer. This site contains the Posting Acceptor files. When users connect to default Posting Acceptor files (e.g., upload.asp), Site Server Express 3.0 routes them to this site for the upload process.
Security is a concern you must address with any application. Posting Acceptor uses the Internet Server API (ISAPI) application called cpshost.dll. Users must have at least Execute permission for cpshost.dll. You can provide access to the Everyone group, or if you are using NT Challenge/Response authentication or Basic authentication, you can restrict access to only the users you let upload files.
You might also want to define secure folders for file uploads. You can create custom folders and restrict users who can upload files to write access. This approach restricts certain users from uploading and executing files. If you use the default Sites folder for uploads, you can restrict access by using Internet Server Manager (ISM) to permit write access or read and write access. From ISM, open Properties for the site and choose None in the Application Permissions setting.
To upload files, users direct their browsers to http://servername/ scripts/upload.asp, where servername is the name of the server running Posting Acceptor. This URL starts upload.asp, which uses the Browser Capability component to determine whether the browser viewing the page can use an ActiveX control. The Browser Capability component routes browsers lacking ActiveX controls (e.g., Netscape Navigator) to uploadn.asp. The component routes browsers that use an ActiveX control (e.g., Microsoft Internet Explorer—IE 3.0—or later) to uploadx.asp.
The Browser Capability component is an important feature of Posting Acceptor. Browser Capability looks up browsers in the browscap.ini file, which contains static information about particular browsers. The component makes decisions based on the static information, and it doesn't matter whether a browser has ActiveX controls turned off (e.g., in IE) or whether you use Netscape Navigator with a plug-in that provides ActiveX controls: IE always returns ActiveX = TRUE, and Netscape Navigator always returns ActiveX = FALSE. You need to periodically visit Microsoft's Web site to update the browscap.ini file to support new browsers. Browscap.ini is at C:\winnt\system32\ inetsrv.
If you visit the Site Server Upload page with your browser, you will see either uploadn.asp, which Screen 1 shows, or uploadx.asp, which Screen 2 shows. The uploadn.asp page uses native HTML features to upload a file, and this page works with both Netscape Navigator and IE. You simply enter a filename or click Browse, then click Upload. The application encodes and sends the files in the HTTP header to the server. The Posting Acceptor .dll file takes the header, pulls the file information from it, rebuilds it, and saves the file. You can directly access uploadn.asp from any browser by directing a URL to it.
The uploadx.asp page, which Screen 2 shows, lets you drag files from Windows Explorer and drop them onto the control icon, which uploads them to the default folder. You can also double-click the ActiveX applet and select the file to upload.
The Upload Page provides three sample Active Server Pages (ASP) files that you can modify: upload.asp, uploadn.asp, and uploadx.asp. You can change the target URL to which Posting Acceptor posts files and other parameters. To add posting support to another site, you can copy the appropriate upload file to the Sites folder or add the functionality into your application. Listing 1 provides the source code for upload.asp.
Listing 2 shows the source code for uploadn.asp, which is a shell HTML file. Uploadn.asp maps uploadnd.asp and uploadnt.asp at callout C in Listing 2. Uploadnd.asp captures the files to upload and posts them to the server. Uploadnd.asp also displays the upload's interface.
Listing 3 shows the HTML upload code that is the key part of uploadnd.asp. The HTML form accepts the user's input and posts files to the server. The form statement defines the actions and type. The encoding type is set to multipart/form-data to show a file upload. The action attribute is set to the PostingURL path built in pasetup.inc, which is an important file from uploadn.asp. Each of the input statements with the name set to my_file accepts a filename from the user. The type attribute is set to file to display the browse dialog button. The TargetURL input statement defines the target URL by setting its default value to the TargetURL variable, which pasetup.inc defines. The last input statement defines the submit button, which triggers the post action.
The statement at callout A in Listing 2 lists the pasetup.inc file. Pasetup.inc lets you modify Posting Acceptor's default behavior for your application. And you can change this file's configuration without having a programming background. Posting Acceptor uses variables that pasetup.inc sets, so you simply change the file's variable definitions to change Posting Acceptor's behavior.
Listing 4, page 120, shows the ASP code of pasetup.inc. The PathToPA and RepostURL variables at callout D in Listing 4 contain the complete URL to the Posting Acceptor .dll and the .asp file that Posting Acceptor uses to repost files. The URL consists of the server's name and the URL to the file. If you place the Posting Acceptor files on a server other than the one running IIS 4.0, you can modify the code to point to that server. For instance, if the default URL for PathToPA is http://abaco/scripts/ cpshost.dll, you can change this URL in pasetup.inc to http://snoopy/scripts/ cpshost.dll with the line
The RepostURL variable contains the URL to route the Posting Acceptor after the posting operation. The default displays the repost.asp page to the user to confirm the upload operation. You can change this variable to point to any file. For instance, you can change the page displayed to CustomerUploadOK.asp on the snoopy server with the line
In pasteup.inc, another important variable is AllowAnonymous = NO. This variable sets the file's security level. This default variable forces users to log on to the server with either NT Challenge/ Response authentication or Basic authentication. Netscape Navigator users must set logon to Basic authentication because Netscape Navigator doesn't support NT Challenge/Response protocol. Uploadn.asp's AllowAnonymous statement at callout B in Listing 2 checks for a user's valid logon ID. If AllowAnonymous = NO at callout E in Listing 4, users must have a valid logon before they can access uploadn.asp. Posting Acceptor retrieves the logon variable using the LOGON_USER server variable. If the Web server validates the user, the LOGON_USER variable contains the username. If the application uses only anonymous logons or the user tries to log on with an invalid username and password, this field is blank and the user can't upload files. If you want to change the default setting to let users access the uploadn.asp or uploadx.asp files with anonymous access, you can remove the if statement from uploadn.asp and uploadx.asp or you can change the AllowAnonymous variable in pasetup.inc to
AllowAnonymous = YES
You might find two other variables in pasetup.inc useful. The first one, SitesURL = "/Sites/Publishing", sets the URL's Web site for the posting folder. This setting causes files to upload to the default Web site Sites on the server running Posting Acceptor. You can change this variable to upload files to another Web site. You can also change the target folder for uploads by changing the TargetURL variable. You can change this variable by changing only SitesURL and TargetURL, or by changing only TargetURL. The cleanest change is to simply modify TargetURL. For example, if you change the target URL to the snoopy server and the UploadStuff site, the modification will look like
You can also change the TargetURL variable dynamically in your ASP code. You might have five Web applications, for example, that use Posting Acceptor, and each one needs to upload the files to a different location. Each application can dynamically change TargetURL to reference a folder in that application's set of folders. Whenever you make changes to variables, remember to save the file.
Screen 3 shows several Performance Monitor counters that Posting Acceptor installs. These counters track the overall performance of posting actions (i.e., Current Posts, Total Posts Received, Total Files Received). These counters also track problems that occur (i.e., Unresolved Posts, Total Failed Posts, Failed Posts/Sec). Also, Posting Acceptor stamps the event log with transaction information. Stamping the event log is useful for auditing posting operations and troubleshooting posting actions.
The Microsoft Knowledge Base has a wealth of information on posting files to IIS 4.0. You can search the Knowledge Base for Posting Acceptor to retrieve this information.
Posting Acceptor makes loading files to your Web server simple. The installation and setup are automatic, and you can use the application immediately after installation. I like the fact that the application uses HTML and ASP so that you can tweak its operation to your liking.