All geek questions in one place

What does WindowsIdentity.GetCurrent () do. Impersonate () do

I am writing a class to handle impersonation and delegation for use in asp.net, WCF services and WinForms applications.

Per MSDN , WindowsIdentity.GetCurrent () returns a WindowsIdentity object that represents the current Windows user.

and

Per MSDN , WindowsIdentity.Impersonate allows code to impersonate another Windows user.

So, what is the effect of issuing the current user and, more importantly, in a web application, how can WindowsIdentity.GetCurrent () return, except for the identifier of the process starter or the end user that has already issued itself?

+4
source share
2 answers

Impersonate() throws a SecurityException if a Win32 error occurs. Therefore, it is likely that it is implemented through the Win32 function, most likely ImpersonateLoggedOnUser () .

Its documentation says (my attention):

All outstanding features, including ImpersonateLoggedOnUser , allow requested impersonation if one of the following statements is true:

  • The required token impersonation level is less than SecurityImpersonation , such as SecurityIdentification or SecurityAnonymous .
  • The caller has the SeImpersonatePrivilege privilege.
  • The process (or another process in the callerโ€™s login session) created the token using explicit credentials through LogonUser or LsaLogonUser .
  • The authenticated identifier matches the name of the caller.

Therefore, I am very inclined to think that WindowsIdentity.GetCurrent().Impersonate() successfully set a new impersonation level for the same user.

As for the second part of your question, you seem to be WindowsIdentity.GetCurrent() with HttpContext.User . In a web application, WindowsIdentity.GetCurrent() always returns the owner of the stream (usually Network Service ), and HttpContext.User returns the currently authenticated user, if any.

+7
source

The current user is very important if you must run the user through several applications, including some that usually allow anonymous access. In addition, it allows you to explicitly do what is done implicitly in certain types of applications.

From your point of view, it may be more important to understand that not all types of applications automatically receive the type of boot user the way you would like. In these cases, there are several cases where you can programmatically receive an identity and then use it for your own means (unrighteous or otherwise?).

As for impersonating another user, this becomes interesting when you go beyond some declarative situations (for example, impersonating ASP.NET). This is for a good reason, therefore, a hacker does not create an application with God's rights, for example.

0
source

Source: https://habr.com/ru/post/1380469/

More articles:


All Articles