Re: How can roles be determined for a resource?

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 08/22/05 

Date: Mon, 22 Aug 2005 13:20:41 -0500

Doh!

I actually did read it but misunderstood what he was saying. I somehow
inverted the meaning of what he was saying in the agree/disagree part. My
bad. :)

Joe K.

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:778012632603329162046737@news.microsoft.com...
> Joe, read the whole thread :)
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Impersonation should only be required here if you have applied a
>> Windows file system ACL on that directory using that group in addition
>> to the location tag.
>>
>> Otherwise, I'm not sure what the impersonation is doing here. What
>> resources are being accessed in Windows that require impersonation of
>> the authenticated user?
>>
>> Joe K.
>>
>> "Paul Taylor" <paul.taylor.ctr@dla.mil> wrote in message
>> news:1124719399.096791.273260@f14g2000cwb.googlegroups.com...
>>
>>> Dominick,
>>>
>>> I half-agree that impersonation is needed...
>>>
>>> -- The Agreement Part
>>> In the code snipet I provided earlier, impersonation is nessecary but
>>> not because URL Authorization requires it. It is nessecary because
>>> CredentialCache.DefaultCredentials doesn't contain all the user
>>> principal information needed to do the access check. To get around
>>> this problem you don't have to turn impersonation on site-wide
>>> (web.config), just turn it on right before you get the default
>>> creditals. I agree that impersonation site-wide can be a nasty thing
>>> to contend with, but using it programmatically, in a small scope, can
>>> be extremely useful. Like so:
>>> private bool IsAuthorized(string url)
>>> {
>>> bool isAuthorized = true;
>>> // Impersonate the current user.
>>> WindowsImpersonationContext user = null;
>>> if (Context.User != null &&
>>> Context.User.Identity is WindowsIdentity)
>>> {
>>> WindowsIdentity identity = (WindowsIdentity)
>>> Context.User.Identity;
>>> user = identity.Impersonate();
>>> }
>>> HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
>>> request.PreAuthenticate = true;
>>> request.Credentials = CredentialCache.DefaultCredentials;
>>> HttpWebResponse response = (HttpWebResponse) request.GetResponse();
>>> if (response.StatusCode == HttpStatusCode.Unauthorized) isAuthorized
>>> = false;
>>>
>>> response.Close();
>>>
>>> // Undo the impersonation.
>>> if (user != null)
>>> user.Undo();
>>> return isAuthorized;
>>> }
>>> -- The Disagree Part
>>> Below is my web.config, which does not have impersonation enabled.
>>> Normal page retrieval works as it should. (i.e. aspx pages in the
>>> admin
>>> directory load when I'm in the group, but provide the security prompt
>>> when I'm not.)
>>> <?xml version="1.0" encoding="utf-8"?>
>>> <configuration>
>>> <system.web>
>>> <customErrors mode="RemoteOnly"/>
>>> <authentication mode="Windows"/>
>>> <authorization>
>>> <allow users="*"/>
>>> </authorization>
>>> <sessionState mode="InProc"
>>> stateConnectionString="tcpip=127.0.0.1:42424"
>>> sqlConnectionString="data
>>> source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
>>> timeout="20"/>
>>> </system.web>
>>> <location path="Admin">
>>> <system.web>
>>> <authorization>
>>> <allow roles="mydomain\mygroup"/>
>>> <deny users="*"/>
>>> </authorization>
>>> </system.web>
>>> </location>
>>> </configuration>
>
>
>