locked
Allow Web Site to invoke batch file...code correct, unable to correctly deploy or configure permissions on server. RRS feed

  • Question

  • User865464427 posted

    I've spent days on this and I need to know whether there's much point in continuing! I'm not even sure this is the right forum...

    We're inheriting a web application that uses Apache FOP to dynamically generate PDFs. The site is currently live on the previous development company's server and I can see that it works. For reasons that probably don't require imagination, they don't want to help us move the application very much, and I have the uneviable task of trying to work out the appropriate configuration.

    Whilst the code works in VS 2008 dev server, I can't get it to work on Localhost (the PDF isn't created but since the function always returns true the application moves on to say file not found), and on the staging server the application hangs on calling the batch file, and the site has to then be restarted in IIS.

    What I do know

    According to the developer the code requires FOP 1.1. (I know the code below has a directory called 0.93, but since I cannot modify the code I have extracted FOP to a matching directory)

    FOP is called using the following code, and this works on VS Development Server (which I know runs with different privelleges to IIS)

    private static bool MakePDF(string xmlIn, string pdfOut, string workingDir)
    		{
    			System.Diagnostics.Process pr = new System.Diagnostics.Process();
    			pr.StartInfo.FileName = @"C:\fop0.93\fop.bat";
    			pr.StartInfo.Arguments = @"""" + Path.GetFileName(xmlIn) + @"""" + " " + @"""" + Path.GetFileName(pdfOut) + @"""";
    			pr.StartInfo.WorkingDirectory = workingDir;
    			
    			pr.Start();
    			pr.WaitForExit();
    
    			return true;
    		}

    What I don't know

    I don't know what version of Windows Server or IIS the other company deployed the application on.

    I don't know what permissions were given to the relevant folders or what user the process was running under.

    I can't modify the source code for the live version of the application, as it hasn't been made available to us.

    What I've tried

    Our staging and production server both run Win 2008 r2, IIS 7.5

    The application runs under its own application pool. I have elevated its identity all the way to Administrator, and given permissions to everyone and his dog to access the FOP directory, and of course the folder where I want the PDF to end up. The application still hangs.

    I've tried giving IIS Admin permission to interact with the desktop and restarted IIS (restarted the whole server actually).

    I've tried looking at event logs and the task manager to see if the batch file is actually launched. I can't see anything or I'm looking in the wrong places. 

    The application still hangs on the above function call.

    I've downloaded and tested a free program called J4L FOP Server which allows the file to be generated over a WebRequest in the hope that I might eventually be able to modify the application source code, however it uses an even older version of FOP, and the pdf it generated from the .fo and .xml files used by the other company's application was always corrupt. 

    I have run the same FOP commands to execute the batch file used by the application from the command line on the server and I know FOP is installed and works fine.

    What I'd like to know...

    Is there better security in Server 2008 r2 / IIS 7.5 that prevents any attempt to call batch files from a website? It seems a pretty risky practice to me in anycase. 

    Is there a difference in the way Process()/cmd.exe should be used on different operating systems? The fact that it hangs rather than crashes seems to indicate to me it's unhappy about something in the batch file. (It is the default fop.bat provided by Apache though.)

    Is there anything I haven't tried yet?

     

    Monday, June 2, 2014 12:02 PM

Answers

  • User465171450 posted

    There is a tool called Process Monitor which is available for free at MS (http://technet.microsoft.com/en-us/sysinternals/bb896645). This is very useful for determining what is really going on.

    I've had similar problems before invoking some third-party applications, especially a 32-bit app running on a 64-bit server. The reason is the requests end up going through the WOW64 process, which ends up needing it's own security.

    Try setting impersonation within the app.config for an account that has the proper privaledges to access the WOW64 directory, and probably the temp directory.

    You also need to watch where it is attempting to create temporary files. The Process Monitor tool can help you there. Since the Vista era, and also I believe Win 2008 maybe as well, apps can't write to their Program Files directory and must use the Program Data directory. I've seen plenty of apps have issues where they try to write a temp file or other file to their own install directory during processing instead of the Program Data directory.

    Now, the Process Monitor tool is fantastic, and generates boatloads of information so you will want to turn it on just long enough to capture a possible use of the batch file and it's errors and pause it. There can be 30,000+ operations that are done in a single second so you will need to sort carefully to figure it out.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 2, 2014 12:39 PM

All replies

  • User465171450 posted

    There is a tool called Process Monitor which is available for free at MS (http://technet.microsoft.com/en-us/sysinternals/bb896645). This is very useful for determining what is really going on.

    I've had similar problems before invoking some third-party applications, especially a 32-bit app running on a 64-bit server. The reason is the requests end up going through the WOW64 process, which ends up needing it's own security.

    Try setting impersonation within the app.config for an account that has the proper privaledges to access the WOW64 directory, and probably the temp directory.

    You also need to watch where it is attempting to create temporary files. The Process Monitor tool can help you there. Since the Vista era, and also I believe Win 2008 maybe as well, apps can't write to their Program Files directory and must use the Program Data directory. I've seen plenty of apps have issues where they try to write a temp file or other file to their own install directory during processing instead of the Program Data directory.

    Now, the Process Monitor tool is fantastic, and generates boatloads of information so you will want to turn it on just long enough to capture a possible use of the batch file and it's errors and pause it. There can be 30,000+ operations that are done in a single second so you will need to sort carefully to figure it out.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 2, 2014 12:39 PM
  • User865464427 posted

    Thanks, I'm currently looking at an alternative solution to generating the PDFs the way we are familiar with,  but I'm going to mark your post as the answer because it explains really well why things might not be working. I hadn't come across this information anywhere else, so hopefully it will help someone in future! 

    I have downloaded the Process Monitor and will hopefully get a chance to run it later.

    Thanks for your help.

    Wednesday, June 4, 2014 4:25 AM