I wouldn't pass around token handles like this - who will clean them up reliably at some point?? WindowsIdentity both implements Idisposable and has a Finalizer to handle this. The handle is internally wrapped in a SafeHandle.
Do you insist on Forms Auht - you know that you can do integrated auth over the internet? This would give you the auto impersonation behavior. Page_Unload is probably a bad place - APIs like Response.Redirect might throw a ThreadAbortException and Page_Unload will never run - if you really wanna go down that route then the EndRequest event in the pipeline would be a better place. cheers, dominick ----------------------------- Dominick Baier, DevelopMentor http://www.leastprivilege.com -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Itay Zandbank Sent: Donnerstag, 22. Juni 2006 14:12 To: [email protected] Subject: Re: [ADVANCED-DOTNET] Programmatic Impersonation in ASP.NET 2.0 WindowsIdentity isn't serializable, but an IntPtr probably is. I can keep the token returned by LogonUser in the session. I like it better than the cache, but if that's the only viable solution, that's what we'll use. I don't want to impersonate just when accessing resources - the web application accesses resources all the time, wrapping each access with the impersonation code can be a pain. I thought the page-unload event (there is one, right? I don't do ASP.NET myself) is the best place to stop impersonation of the thread (seeing as page-load is where we start impersonating). Thanks, Itay. -----Original Message----- From: Dominick Baier [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 21, 2006 9:59 AM Subject: Re: Programmatic Impersonation in ASP.NET 2.0 Hi, you can cache the WindowsIdentity. But you have to call LogonUser once to get the token. I would not use Session here, because WindowsIdentity is not serializable (and that's a prereq for out of proc session state) - use the Cache. Just keep in mind that with every cached token you increase the attack surface of your application - but on the other hand IIS itself uses a similar scheme. You cannot plug into the auto impersonation plumbing, but you could write a module that does the impersonation automatically for each request - but be careful to undo impersonation at some point of time... the cleanest way is to use impersonation only for resource access - wrap your code into a using statement and all cleanup will be done automatically using (clientIdentity.Impersonate()) { // resource access } cheers, dominick ----------------------------- Dominick Baier, DevelopMentor http://www.leastprivilege.com -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Itay Zandbank Sent: Mittwoch, 21. Juni 2006 10:48 To: [email protected] Subject: [ADVANCED-DOTNET] Programmatic Impersonation in ASP.NET 2.0 In our web application, we want to impersonate the end user so that its identity is carried through to our middle-tier remoting services. We can't use Windows Authentication (the users are located on the internet, with no access to our domain controller), so we need to do the impersonation ourselves (given a username and a password, of course, which will be provided to the ASP.NET somehow. We won't use Basic Authentication). I found quite a bit of code that basically calls LogonUser to receive the impersonated user's token, and then uses WindowsIdentity.Impersonate on that token. As far as I understand, this impersonation needs to be done every time a new page is loaded. Is there a simpler way? When using Windows Authentication with impersonation enabled, ASP.NET impersonates the user automatically. Is there some sort of standard way to hook into this mechanism? Ideally - some place in the session we can place the token (or WindowsIdentity) only once, and have ASP.NET use it every time a page is loaded? And if there isn't, do we really need to call LogonUser every time a page is loaded? What if we cache the token in the session, and only call WindowsIdentity.Impersonate in the Page Loaded event? I'm worried here about tokens becoming stale for some reason (I'm not worried about Kerberos's ticket lifetime, the defaults exceed our usage anyway). Thanks, Itay. =================================== This list is hosted by DevelopMentor. http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor(r) http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor. http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
