Re: Forms Authentication and Impersonation
From: eruess (eruess_at_redding_path.com)
Date: 06/07/03
- Next message: Sherif Elbedeiwy: "Disable my iis"
- Previous message: Jonathan: "Re: Further: The website had info on php and iis along with perl."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 6 Jun 2003 17:37:20 -0700
Here's what I'd do, if I for whatever reason I wanted to accomplish that
task:
1. On the IIS box, turn impersonation -off- in web.config so that asp.net
requests run as the machine.config specified user.
2. On that other box (the file source box, whatever it is), setup a special
user that only has access to the files in question. If need be, explicity
deny access to the machine.config asp.net user and the IIS anonymous user,
to block arbitrary direct requests from the more knowledgeable end-users.
3. Look up how to impersonate someone in asp using the language of your
choice. Sorry I don't have a link handy... there's some fine ms kb articles
about it tho, it's where I learned about it.
4. Rewrite the page with your newfound knowledge of thread impersonation -
make it so that the thread is impersonatied as the special user you setup on
the other box, just before it attempts to access the file. Once the thread
is impersonated as the user who has access to the file(s), now you can read
them - start doing whatever it is you need to do with the file(s).
5. When done, undo the impersonation back to normal; or, just let the thread
recycle by allowing the request (this particular request of the aspx page
that access the secret files) to finish all the way. Each web request is
it's own thread, so once the request to the file-accessing aspx page is
over, any impersonation you did will be gone. So un-impersonating may be
redundant.
So to sum up this general idea, the user surfs around asp.net pages as the
machine.config user, and if they try, can't access the files in question
directly. But, if they go thru the propper channels to access your
file-accessing aspx page, this page grabs files for them under the guise of
some other user. Then by virtue of the fact that the request ending
"undoes" the impersonation, the end-users subsequent asp.net page request
will continue to be as the machine.config user.
"Mike" <mikeschall@hotmail.com> wrote in message
news:1b3d01c28cae$3f8d2cd0$8df82ecf@TK2MSFTNGXA02...
> I can get access to the files if I set the <identity>
> section of the web.config to impersonate and give a domain
> username and password. This works, but fails my goal
> because now the files are available to the anonymous user
> again.
>
> Any ideas would be great. Thanks for your time.
> Mike
- Next message: Sherif Elbedeiwy: "Disable my iis"
- Previous message: Jonathan: "Re: Further: The website had info on php and iis along with perl."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
