BCL easyPDF SDK
easyPDF SDK Usermanual
PDF Creator Programming API  |  Download Free Trial  |  Contact Us to Purchase

Using easyPDF on the Server Side

Servers and system services do not behave the same way as desktop applications. Services are running under special limited user accounts, and do not have access to the desktop. For example, they cannot open a dialog box, or launch Microsoft Word.

In order to work around these limitations, easyPDF offers two alternative solutions. One is called the Loader Service, and the other one is called Impersonation.

When to Use Loader

Loader was originally invented for printing Microsoft Office documents on the server side, such as from Microsoft Internet Information Services (IIS). However, beginning with Windows 7 / Server 2008 R2, Loader is necessary for all server-side printing operations, as well as Microsoft Office automation.

The rule of thumb is that easyPDF Printer SDK always requires Loader on the server side. The other SDKs do not.

Beginning with easyPDF SDK 8, users have a choice between Loader Service and Impersonation.

The Loader Service

The easyPDF SDK Loader Service has been a part of the product for a very long time. It is based on the idea of running a system service under a desktop user account. All easyPDF function calls are tunneled through this service, therefore impersonating a desktop user.

The disadvantage of this method is that this service must always be running under a highly privileged user account, which is a potential security vulnerability. Also Windows has to store this username and password somewhere in the registry (in encrypted format). Uninstallation of easyPDF causes the password to be forgotten, which must be manually reset every time easyPDF is reinstalled.

Another huge disadvantage is that the service is a single point of failure. Should easyPDF crash, it might crash the service with it. Should the service fail in any way, a real person must log in to the server and restart it manually. The service cannot easily be killed or restarted during normal operation. If the service is busy, that can cause issues with uninstallation or upgrade.

Impersonation

The alternative solution is to simply impersonate a desktop user when necessary. This brand new technique was introduced in easyPDF SDK 8, and is available for .NET, Java, PHP, Python, C and C++ programmers only. Users of the classic COM API have no choice but to use the Loader Service.

The basic idea of Impersonation is to launch an external process under a specific user account. Instead of having a central Loader Service that is always running, each SDK object is isolated into a separate worker process. Each worker process quits as soon as they are not used anymore.

A huge advantage of Impersonation over the Loader Service is that multiple different users can be impersonated. For example, you may have a separate user for each web request. Or one dedicated user for each printer paper size. This is the only way to change paper size in a thread-safe way.

The difficulty of this solution is that the username and password must be supplied as parameters by the user of the SDK. It is the developer's burden to hide this information in a secure location. Those who are uneasy about storing cleartext passwords in the source code are required to encrypt it. Fortunately, .NET has a built-in solution.

Note that the implementation offered by the classic Loader Service is not any better, either. The only difference with Loader Service is that the password is managed (and encrypted) by Windows, which is not incredibly secure, either. It uses an encrypted registry key, which solution is strongly discouraged and deprecated, yet still used by Microsoft to store user passwords for services.

Also Note that the the user accounts used by Impersonation and Loader must be Local User Accounts that have been fully configured for desktop use. These Accounts must be logged in to get past any registration dialogues, and then be logged of and remain logged off during Conversions.

Security via Isolation

On a modern Windows system, it is a physical impossibility to print documents or run Microsoft Office on the server side without supplying a username and password.

When security is a concern, customers should separate the web server from the application servers via a firewall. Make sure easyPDF is only installed on the application servers, which are on a local area network, completely inaccessible from the internet. Only the web server should be online, which distributes individual print jobs to a load-balanced array of application servers.