The Internet Server Application Programming Interface
) is an N-tier API
of Internet Information Services
's collection of Windows
-based web server services. The most prominent application of IIS and ISAPI is Microsoft's web server
The ISAPI has also been implemented by Apache's mod_isapi module so that server-side web applications written for Microsoft's IIS can be used with Apache, and other third-party web servers like Zeus Web Server offer ISAPI interfaces.
The word "server" can refer to a computer ("box") or a piece of software (for example, SQL Server
's web server application software is called Internet Information Services
, which is made up of a number of "sub-applications" and is very configurable. ASP.NET
is one such slice of IIS, allowing a programmer to write web applications in his or her choice of programming language (VB.NET, C#, J#) that's supported by the Microsoft .NET CLR
is a much lower-level programming system, giving much better performance, at the expense of complexity. While Microsoft is generally credited with the creation of the ISAPI specification, it was actually co-developed by Process Software and Microsoft with input from a small number of other vendors..
Major sites using ISAPI
Before switching to ASP.Net Microsoft's MSDN
-Library (msdn.Microsoft.com) was fully developed with ISAPI. eBay
still uses the "eBayISAPI.dll", although on the back-end they are using Java Technology powered by Sun.
Performance and compromise
The greatest disadvantage of developing web applications at ISAPI level is the increased development time over typical scripting languages like PHP and ASP. Another penalty is the lack of native support for many standard web application features such as Session
handling, which are common features in technologies such as ASP and PHP. Because ISAPI extensions are normally written in unsafe languages like C, there is also an increased risk of buffer overflows and similar vulnerabilities occurring.
ISAPI for IIS 5.0 and earlier
In contrast to CGI
applications, an ISAPI application is loaded into the same process space as the IIS web server. This removes the need for inter-process
calls and the overhead of loading and starting a separate executable, allowing improved performance of ISAPI applications over CGI applications. However, if an ISAPI application crashes
, it can cause the whole of the web server to crash along with it.
ISAPI for IIS 6.0
In IIS 6.0 it is possible to configure an IIS application to run in a separate process space created by IIS (recommended mode: "High (isolated)"). Thus, performance is maintained but if the ISAPI application crashes it will not cause the whole IIS server to crash.
ISAPI consists of two components: Extensions and Filters. These are the only two types of applications that can be developed using ISAPI. Both Filters and Extensions must be compiled into DLL files which are then registered with IIS to be run on the web server.
ISAPI applications can be written using any language which allows the export of standard C functions, for instance C, C++, Delphi. There are a couple of libraries available which help to ease the development of ISAPI applications, and in Delphi Pascal the Intraweb components for web-application development. MFC includes classes for developing ISAPI applications. Additionally, there is the ATL Server technology which includes a C++ library dedicated to developing ISAPI applications.
ISAPI Extensions are true applications that run on IIS. They have access to all of the functionality provided by IIS. ISAPI extensions are implemented as DLLs that are loaded into a process that is controlled by IIS. Clients can access ISAPI extensions in the same way they access a static HTML page. Certain file extensions or a complete folder or site can be mapped to be handled by an ISAPI extension.
ISAPI filters are used to modify or enhance the functionality provided by IIS. They always run on an IIS server and filter every request until they find one they need to process. Filters can be programmed to examine and modify both incoming and outgoing streams of data. Internally programmed and externally configured priorities determine in which order filters are called.
Filters are implemented as DLL files and can be registered on an IIS server on a site level or a global level (i.e., they apply to all sites on an IIS server). Filters are initialised when the worker process is started and listens to all requests to the site on which it is installed.
Common tasks performed by ISAPI filters include:
- Changing request data (URLs or headers) sent by the client
- Controlling which physical file gets mapped to the URL
- Controlling the user name and password used with anonymous or basic authentication
- Modifying or analyzing a request after authentication is complete
- Modifying a response going back to the client
- Running custom processing on "access denied" responses
- Running processing when a request is complete
- Run processing when a connection with the client is closed
- Performing special logging or traffic analysis.
- Performing custom authentication.
- Handling encryption and compression.
Common ISAPI applications
This is a list of common ISAPI applications implemented as ISAPI extensions:
- Active Server Pages (ASP), installed as standard
- ASP.NET, installed as standard on IIS 6.0 onwards
- ColdFusion, later versions of ColdFusion are installable on IIS
- Perl ISAPI (aka Perlis), available for free to install
- PHP, available for free to install.
ISAPI applications can be developed using any development tool that can generate a Win32 DLL. Wizards for generating ISAPI framework applications have been available in Microsoft development tools since Visual C++ 4.0.