Use impersonation in ASP. NET Applications)

Abstract By default, ASP. NET Applications Program Run with the local ASPNET account. This account is a common user group and has limited permissions to ensure the security of ASP. NET applications. However, sometimes an ASP. NET application or segment in the program is required Code To perform an operation that requires specific permissions, such as access to a file, you must grant the program or corresponding code a certain account the permission to perform the operation, this method is called impersonation ). This article describes several methods for using identity simulation in ASP. NET applications, and compares their applicability. Before reading this article, we recommend that you read Article : Identity Authentication in ASP. NET:. Net Security Guide to have a general understanding of ASP. NET security control. Directory

• Identity simulation in ASP. NET
• Simulate an IIS Authentication account
• Simulate a specified user account in an ASP. NET application
• Simulate an IIS Authentication account in the code
• Simulate a specified user account in the code
• More information

ASP. net identity simulation ASP. net implements identity authentication by using the Identity Authentication provider. In general, Asp.. Net authentication providers include form authentication, Windows authentication, and passport authentication. After Authentication, ASP. NET checks whether identity simulation is enabled. If enabled, ASP. NET applications use the client identity to selectively execute the application as the client identity. Otherwise, ASP. NET applications run with the local identity (typically using the local ASPNET account). The specific process is shown in:

Identity simulation is generally used for resource access control in ASP. NET applications, mainly including the following methods:

• Simulate an IIS Authentication account
• Simulate a specified user account in an ASP. NET application
• Simulate an IIS Authentication account in the code
• Simulate a specified user account in the code

Simulating an IIS authenticated account is the easiest way to use an IIS authenticated account to execute an application. You need to add the <identity> flag to the Web. config file and set the impersonate attribute to true:

 
<Identity impersonate = "true"/>
 

In this case, the user identity authentication is sent to IIS. When anonymous logon is allowed, IIS submits an identity used for anonymous logon (IUSR_machinename by default) to the ASP. NET application. If anonymous logon is not allowed, IIS will pass the authenticated identity to the ASP. NET application. The specific access permissions of ASP. NET are determined by the permissions of this account. Simulate a specified user account. When an ASP. NET application needs to be executed with a specific user account, you can specify a specific user account in the <identity> mark of the web. config file:

 
<Identity impersonate = "true" username = "accountname" Password = "password"/>
 

All requests on all pages of the ASP. NET application are executed with the specified user account permission. Simulating an IIS Authentication account in the Code makes it more flexible to use identity simulation in the Code. You can use identity simulation in a specified code segment to resume the use of an ASPnet local account outside the code segment. This method requires that the Windows Authentication Id be used. The following example simulates the IIS Authentication account in the Code: Visual Basic. net

 
Dim impersonationcontext as system. security. principal. windowsimpersonationcontextdim currentwindowsidentity as system. security. principal. windowsidentitycurrentwindowsidentity = ctype (user. identity, system. security. principal. windowsidentity) impersonationcontext = currentwindowsidentity. impersonate () 'insert your code that runs under the security context of the Authenticating user here. impersonationcontext. undo ()
 

Visual C #. net

System. security. principal. windowsimpersonationcontext impersonationcontext; impersonationcontext = (system. security. principal. windowsidentity) user. identity ). impersonate (); // insert your code that runs under the security context of the Authenticating user here. impersonationcontext. undo ();
 

Simulate a specified user account in the Code. The following example simulates a specified user account in the Code: Visual Basic. net

<% @ Page Language = "VB" %> <% @ import namespace = "system. web "%> <% @ import namespace =" system. web. security "%> <% @ import namespace =" system. security. principal "%> <% @ import namespace =" system. runtime. interopservices "%> <SCRIPT runat = Server> dim logon32_logon_interactive as integer = 2dim ready as integer = 0dim impersonationcontext as ready auto function logonuser lib" advapi32.dll "(byval lpszusername as string, _ byval lpszdomain as string, _ byval lpszpassword as string, _ byval dwlogontype as integer, _ byval dwlogonprovider as integer, _ byref phtoken as intptr) as integerdeclare auto function duplicatetoken lib "Courier" (byval existingtokenhandle as intptr, _ impersonationlevel as integer, _ byref defined as intptr) as integerpublic sub page_load (S as object, e as eventargs) if impersonatevaliduser ("username", "Domain", "password") Then 'insert your code that runs under the security context of a specific user here. undoimpersonation () else 'your impersonation failed. therefore, include a fail-safe mechanic here. end ifend subprivate function compute (username as string, _ domain as string, password as string) as booleandim tempwindowsidentity as your token as intptrdim tokenduplicate as intptrif logonuser (username, domain, password, secret, _ token, token) <> 0 thenif duplicatetoken (token, 2, tokenduplicate) <> 0 token = new windowsidentity (tokenduplicate) impersonationcontext = windowtempsidentity. impersonate () If impersonationcontext is nothing thenimpersonatevaliduser = users = trueend users = falseend ifend functionprivate sub undoimpersonation () impersonationcontext. undo () end sub </SCRIPT>

Visual C #. net

<% @ Page Language = "C #" %> <% @ import namespace = "system. web "%> <% @ import namespace =" system. web. security "%> <% @ import namespace =" system. security. principal "%> <% @ import namespace =" system. runtime. interopservices "%> <SCRIPT runat = Server> Public const int logon32_logon_interactive = 2; Public const int logon32_provider_default = 0; windowsimpersonationcontext impersonationcontext; [dllimport (" advapi 32. DLL ", charset = charset. auto)] public static extern int logonuser (string lpszusername, string lpszdomain, string lpszpassword, int dwlogontype, int dwlogonprovider, ref intptr phtoken); [dllimport ("character", charset = system. runtime. interopservices. charset. auto, setlasterror = true)] public extern static int duplicatetoken (intptr htoken, int impersonationlevel, ref intptr hnewtoken); Public void page_load (Object S, eventargs e) {If (impersonatevaliduser ("username", "Domain", "password ")) {// insert your code that runs under the security context of a specific user here. undoimpersonation ();} else {// your impersonation failed. therefore, include a fail-safe mechanisms here .}} private bool impersonatevaliduser (string username, string domain, string password) {windowsidentity tempwindowsidentity; intptr token = I Ntptr. Zero; intptr tokenduplicate = intptr. Zero; If (logonuser (username, domain, password, logon32_logon_interactive, logon32_provider_default, ref token )! = 0) {If (duplicatetoken (token, 2, ref tokenduplicate )! = 0) {tempwindowsidentity = new windowsidentity (tokenduplicate); impersonationcontext = tempwindowsidentity. Impersonate (); If (impersonationcontext! = NULL) return true; elsereturn false;} private void undoimpersonation () {impersonationcontext. Undo () ;}</SCRIPT>

The following describes a simple application that uses identity simulation in ASP. NET applications. For example, an ASP. NET application needs to check whether a file on the server exists. The corresponding program code is:

 
Bool a = file. exists ("D: \ share \ test.txt ");
 

By default, this ASP. NET application runs with an ASPNET account. For the sake of security, the ASPNET account does not have the access permission for the Directory D: \ share \ on the server side. Without Identity simulation, because ASP. NET applications do not have the permission to access this directory, the returned value of file. exists is always false regardless of whether the file exists. To solve this problem, you can create another user account: fileexist and grant the account D: \ share \ directory access permission. Then, specify the specific user account in the <identity> tag of the web. config file of the application:

 
<Identity impersonate = "true" username = "fileexist" Password = "password"/>
 

To run the program. For more information, visit the following link for more information: 1. Info: Implementing impersonation in an ASP. NET applicationhttp: // support.microsoft.com/default.aspx? SCID = KB; en-US; q306158 & SD = mskb2. info: ASP. NET Security overviewhttp: // support.microsoft.com/default.aspx? SCID = KB; en-US; q3065903. ASP. NET web application securityhttp: // msdn.microsoft.com/library/default.asp? Url =/library/en-US/cpguide/html/cpconaspnetwebapplicationsecurity. asp Author: Huang xuebin