[英]What's the difference between retrieving WindowsPrincipal from WindowsIdentity and Thread.CurrentPrincipal?
I am trying to work out why attribute based security isn't working as I'd expect in WCF and I suspect it might have something to do with the following: 我试图弄清楚为什么基于属性的安全性不能像我在WCF中所期望的那样工作,我怀疑它可能与以下内容有关:
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
var identity = new WindowsIdentity("ksarfo");
var principal = new WindowsPrincipal(identity);
Console.WriteLine("\nChecking whether current user [" + identity.Name + "] is member of [" + groupName + "]");
Console.WriteLine(principal.IsInRole(groupName)); // returns true
principal = (WindowsPrincipal)Thread.CurrentPrincipal;
identity = (WindowsIdentity) principal.Identity;
Console.WriteLine("\nChecking whether current user [" + identity.Name + "] is member of [" + groupName + "]");
Console.WriteLine(principal.IsInRole(groupName)); // returns false
I don't understand why the results differ for the function call: 我不明白为什么函数调用的结果不同:
principal.IsInRole(groupName)
For the sake of completeness the point at which the code actually fails is here: 为了完整起见,代码实际失败的点在这里:
PrincipalPermission(SecurityAction.Demand, Role = "PortfolioManager")]
Help appreciated. 帮助赞赏。
Maybe it's because this is not the same classes. 也许是因为这不是同一类。
Look at MSDN : 看看MSDN:
So, if there are differents classes, maybe there are differents implementations. 所以,如果有不同的类,也许有不同的实现。
EDIT : 编辑:
I have try this code : 我试过这段代码:
public class InGroup
{
public string Name { get; set; }
public bool Current { get; set; }
public bool Fixe { get; set; }
public bool Thread { get; set; }
}
WindowsIdentity current = System.Security.Principal.WindowsIdentity.GetCurrent();
WindowsPrincipal principalcurrent = new WindowsPrincipal(current);
WindowsIdentity fixe = new WindowsIdentity("JW2031");
WindowsPrincipal principalFixe = new WindowsPrincipal(fixe);
IPrincipal principalThread = System.Threading.Thread.CurrentPrincipal;
List<InGroup> ingroups = new List<InGroup>();
foreach (IdentityReference item in current.Groups)
{
IdentityReference reference = item.Translate(typeof(NTAccount));
Console.WriteLine("{0}\t{1}\t{2}\t{3}",
reference.Value,
principalcurrent.IsInRole(reference.Value),
principalFixe.IsInRole(reference.Value),
principalThread.IsInRole(reference.Value));
ingroups.Add(new InGroup()
{
Name = reference.Value,
Current = principalcurrent.IsInRole(reference.Value),
Fixe = principalFixe.IsInRole(reference.Value),
Thread = principalThread.IsInRole(reference.Value)
});
}
foreach (IdentityReference item in fixe.Groups)
{
IdentityReference reference = item.Translate(typeof(NTAccount));
if (ingroups.FindIndex(g => g.Name == reference.Value) == -1)
{
ingroups.Add(new InGroup()
{
Name = reference.Value,
Current = principalcurrent.IsInRole(reference.Value),
Fixe = principalFixe.IsInRole(reference.Value),
Thread = principalThread.IsInRole(reference.Value)
});
Console.WriteLine("{0}\t{1}\t{2}\t{3}",
reference.Value,
principalcurrent.IsInRole(reference.Value),
principalFixe.IsInRole(reference.Value),
principalThread.IsInRole(reference.Value));
}
}
And here is the result 这是结果
As you can see, I did not have the same groups with differents ways. 正如你所看到的,我没有相同的组有不同的方式。 So (because I'm administrator of my local machine) I think that WindowsIdentity.GetCurrent will get the user from AD and WindowsPrincipal(WindowsIdentity("")) will get the user from local machine. 所以(因为我是我本地机器的管理员)我认为WindowsIdentity.GetCurrent将从AD获取用户并且WindowsPrincipal(WindowsIdentity(“”))将从本地机器获取用户。
In my webapp, I have got the lowest authorisation possible (I think). 在我的webapp中,我获得了最低的授权(我认为)。 But, I have no explanations for the consoleapp... 但是,我没有解释consoleapp ...
It's only suppositions, but this is coherent. 这只是假设,但这是连贯的。
I believe the difference is between the logged in user and the account running the app (thread). 我认为区别在于登录用户和运行应用程序(线程)的帐户。 These will not always be the same. 这些并不总是一样的。
I admit it's a rather ugly workaround, but if all else fails you could replace: 我承认这是一个相当丑陋的解决方法,但如果其他所有方法都失败了,你可以替换:
principal = (WindowsPrincipal)Thread.CurrentPrincipal;
with something like 喜欢的东西
principal = new WindowsPrincipal(new WindowsIdentity(Thread.CurrentPrincipal.Identity.Name));
If that doesn't work, it will probably at least be instructive in showing where things are going wrong. 如果这不起作用,它可能至少对于显示出错的地方具有指导意义。
But I can't imagine it failing, since it does exactly the same thing (where it is relevant) as the line that worked: I assume Thread.CurrentPrincipal.Identity.Name
is "ksarfo"
. 但是我无法想象它会失败,因为它完全相同(相关的地方)作为有效的行:我假设Thread.CurrentPrincipal.Identity.Name
是"ksarfo"
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.