按角色的ASP.NET模拟
[英]ASP.NET Impersonation by Role
问题描述
I modified the ASP.NET login control to also allow specifying UserRole ('Employee' or 'Volunteer'). 
我修改了ASP.NET登录控件,使其还可以指定UserRole(“ Employee”或“ Volunteer”)。 Users are authenticated via a call to a webservice written by our client, which accepts username/password/role and returns true or false. 通过对我们的客户端编写的Web服务的调用来对用户进行身份验证,该服务接受用户名/密码/角色并返回true或false。
- If role is 'Employee' it represents an active directory user. 如果角色是“雇员”,则表示活动目录用户。 The application should impersonate the user with the given username/password. 应用程序应使用给定的用户名/密码来模拟用户。
- If role is 'Volunteer' the application should run under a set Windows account whose username/password are known in advance (ie hard-coded in web.config file). 如果角色是“志愿者”,则该应用程序应在预先知道其用户名/密码(即,硬编码在web.config文件中)的Windows帐户下运行。
The server runs on Windows Server 2003. I am confused by the myriad of configuration choices and trying to understand my options; 该服务器运行在Windows Server 2003上。无数的配置选择让我感到困惑,并且试图了解我的选择。
Is it possible to have multiple scenarios as described? 是否可能有上述多种情况?
Should I specify the impersonation programmatically or can it be done through the config file? 我应该以编程方式指定模拟还是可以通过配置文件完成模拟? If so, is it required to use LogonUser or WindowsIdentity? 如果是这样,是否需要使用LogonUser或WindowsIdentity?
What config file setup should I use? 我应该使用什么配置文件设置? (ie Forms authentication, impersonate=true, etc..) (即,表单身份验证,模拟= true等。)
Thank you in advance. 先感谢您。
1 个解决方案
解决方案1
3 已采纳 2010-09-07 17:34:23
Because the decision about which identity to impersonate is based on run-time data, you'll likely have to deal with impersonation programmatically. 因为要模拟哪个身份的决定是基于运行时数据的,所以您可能必须以编程方式处理模拟。
I use a combination of interop and WindowsIdentity to handle impersonation. 我使用interop和WindowsIdentity的组合来处理模拟。 The steps I follow are: 我遵循的步骤是:
- Log on using the interop
LogonUserA(), which fills a handle to an IntPtr (token).使用互操作LogonUserA()登录,该操作将填充IntPtr(token)的句柄。 - Duplicate the token with the interop
DuplicateToken().使用interop DuplicateToken()复制令牌。 - Create a new windows identity, a la:
var identity = new WindowsIdentity(tokenDuplicate);创建一个新的Windows身份,例如: var identity = new WindowsIdentity(tokenDuplicate);.。 - Create an impersonation context via:
var context = identity.Impersonate();通过以下方式创建模拟上下文: var context = identity.Impersonate(); - Close both tokens with the interop
CloseHandle()使用互操作CloseHandle()关闭两个令牌 - When finished impersonating, undo the impersonation context via:
context.Undo();模拟完成后,可通过以下方式撤消模拟上下文: context.Undo();
I keep a disposable class around to handle the details. 我会安排一个一次性课程来处理细节。 Steps 1-5 occur in a constructor, and step 6 occurs in the dispose routine. 步骤1-5在构造函数中发生,而步骤6在处理例程中发生。 This helps ensure that I properly revert even in the face of an exception. 这有助于确保即使遇到异常我也可以正确还原。
With this approach, since you are passing credentials via a service method, the web.config authentication scheme is not entirely forced. 使用这种方法,由于您通过服务方法传递凭据,因此不会完全强制执行web.config身份验证方案。 If, however, you are using integrated Windows auth, you could programmatically impersonate the current user from HttpContext.Current.User.Identity.Impersonate(), without passing credentials in a service method. 但是,如果使用的是集成Windows身份验证,则可以通过编程方式从HttpContext.Current.User.Identity.Impersonate()模拟当前用户,而无需在服务方法中传递凭据。
On an aside, and you may already know, PInvoke.net is a valuable resource for configuring signatures for interop methods. 顺便说一句 ,您可能已经知道, PInvoke.net是用于为互操作方法配置签名的宝贵资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.