[英]ASP.NET Impersonation by Role
I modified the ASP.NET login control to also allow specifying UserRole ('Employee' or 'Volunteer'). 我修改了ASP.NET登录控件,使其还可以指定UserRole(“ Employee”或“ Volunteer”)。 Users are authenticated via a call to a webservice written by our client, which accepts username/password/role and returns true or false.
通过对我们的客户端编写的Web服务的调用来对用户进行身份验证,该服务接受用户名/密码/角色并返回true或false。
The server runs on Windows Server 2003. I am confused by the myriad of configuration choices and trying to understand my options; 该服务器运行在Windows Server 2003上。无数的配置选择让我感到困惑,并且试图了解我的选择。
Is it possible to have multiple scenarios as described? 是否可能有上述多种情况?
Should I specify the impersonation programmatically or can it be done through the config file? 我应该以编程方式指定模拟还是可以通过配置文件完成模拟? If so, is it required to use LogonUser or WindowsIdentity?
如果是这样,是否需要使用LogonUser或WindowsIdentity?
What config file setup should I use? 我应该使用什么配置文件设置? (ie Forms authentication, impersonate=true, etc..)
(即,表单身份验证,模拟= true等。)
Thank you in advance. 先感谢您。
Because the decision about which identity to impersonate is based on run-time data, you'll likely have to deal with impersonation programmatically. 因为要模拟哪个身份的决定是基于运行时数据的,所以您可能必须以编程方式处理模拟。
I use a combination of interop and WindowsIdentity to handle impersonation. 我使用interop和WindowsIdentity的组合来处理模拟。 The steps I follow are:
我遵循的步骤是:
LogonUserA()
, which fills a handle to an IntPtr ( token
). LogonUserA()
登录,该操作将填充IntPtr( token
)的句柄。 DuplicateToken()
. DuplicateToken()
复制令牌。 var identity = new WindowsIdentity(tokenDuplicate);
var identity = new WindowsIdentity(tokenDuplicate);
. var context = identity.Impersonate();
var context = identity.Impersonate();
CloseHandle()
CloseHandle()
关闭两个令牌 context.Undo();
context.Undo();
I keep a disposable class around to handle the details. 我会安排一个一次性课程来处理细节。 Steps 1-5 occur in a constructor, and step 6 occurs in the dispose routine.
步骤1-5在构造函数中发生,而步骤6在处理例程中发生。 This helps ensure that I properly revert even in the face of an exception.
这有助于确保即使遇到异常我也可以正确还原。
With this approach, since you are passing credentials via a service method, the web.config authentication scheme is not entirely forced. 使用这种方法,由于您通过服务方法传递凭据,因此不会完全强制执行web.config身份验证方案。 If, however, you are using integrated Windows auth, you could programmatically impersonate the current user from HttpContext.Current.User.Identity.Impersonate(), without passing credentials in a service method.
但是,如果使用的是集成Windows身份验证,则可以通过编程方式从HttpContext.Current.User.Identity.Impersonate()模拟当前用户,而无需在服务方法中传递凭据。
On an aside, and you may already know, PInvoke.net is a valuable resource for configuring signatures for interop methods. 顺便说一句 ,您可能已经知道, PInvoke.net是用于为互操作方法配置签名的宝贵资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.