Todd Bleeker's 12 Hive

All MindsharpBlogs

Are you pondering what I'm pondering?

My Links

Post Categories

Archives

Blog Stats

Even Better Impersonation

tempALT:images/Advisor/Cover.gif    In my recent SharePoint Advisor Article: Secure SharePoint Code Using Credential-less Impersonation, I describe a method of using the App Pool identity to complete tasks that the authenticated user doesn't have permission to do. Although I'm not a security expert, I wanted to share this approach that I find very beneficial. The RevertToAppPool class that I provide in the article requires an operating system routine which in turn requires the code to have Full trust (still better than storing credentials IMHO). However, I've recently become aware of an approach that achieves the same kind of impersonation under the preferred WSS_Medium trust level instead of Full.

Use the following RevertToAppPool class in place of the one that I provide in the article to achieve this goal:
using System.Security.Principal;

namespace Mindsharp.Utilities
{
  public class RevertToAppPool
  {
    private WindowsImpersonationContext ctx = null;

    //Revert to the original application pool security context
    //We only want to do this if we are not already running as the system
    public void UseAppPoolIdentity()
    {
      try
      {
        if (!WindowsIdentity.GetCurrent().IsSystem)
        {
          ctx = WindowsIdentity.Impersonate(System.IntPtr.Zero);
        }
      }
      catch{}
    }

    //Return to impersonating the authenticated user
    //Anonymous users are impersonated as IUSR_machinename, by default
    public void ReturnToImpersonatingCurrentUser()
    {
      try
      {
        if(ctx != null)
        {
          ctx.Undo();
        }
      }
      catch{}
    }
  }
}
 
tempALT:images/shim.gif
C#
tempALT:images/shim.gif
VB
 

The code to call the RevertToAppPool class follows:

protected override void RenderWebPart(HtmlTextWriter output)
{
  try
  {
    output.Write("before:" + WindowsIdentity.GetCurrent().Name + "<BR>");
    Mindsharp.Utilities.RevertToAppPool reverter =
      new Mindsharp.Utilities.RevertToAppPool();

    reverter.UseAppPoolIdentity();
    output.Write("reverted:" + WindowsIdentity.GetCurrent().Name
      + "<BR>");

    reverter.ReturnToImpersonatingCurrentUser();
    output.Write("after:" + WindowsIdentity.GetCurrent().Name + "<BR>");

    EnsureChildControls();
    RenderChildren(output);
  }
  catch(Exception ex)
  {
    output.Write("<H1>" + ex.Message + "</H1>");
  }
}
 
tempALT:images/shim.gif
C#
tempALT:images/shim.gif
VB
 
Thanks to Jeff Goddard in London, England for bringing this awesome option to my attention. As always, it is important to realize that any privilege that you give to the App Pool account could theoretically be exploited by someone with ill intensions. For most SharePoint implementations, this kind of class will be God-sent.

<Todd />

posted on Tuesday, May 03, 2005 7:46 PM

Feedback

# Impersonation in SharePoint web parts 5/10/2005 9:17 AM Alex's blog about SharePoint and .NET

Todd Bleeker wrote an article in SharePoint Advisor Magazine about "Secure Share

# re: Even Better Impersonation 5/14/2005 3:44 PM Maurice Prather

Although this is a common class/technique that a lot of folks use from time to time, be aware that the SharePoint OM will not always honor your reverted state. I've posted more info at http://www.bluedoglimited.com/SharePointThoughts/ViewPost.aspx?ID=7 Maurice

# re: The two biggest problems in Sharepoint development - and they really are annoying! 10/20/2005 2:52 PM Lovely Weather?

# That quirky SharePoint Object Model... 1/4/2006 5:12 PM Chris Johnson

I had another chance yesterday to do battle with something in the SharePoint Object Model.&nbsp; These...

# MSDN : un floril&#233;ge d'astuce haut niveau pour le dev SharePoint 3/14/2006 8:03 AM The Mit's Blog

En parcourant le MSDN, je suis allé sur le SDK SharePoint, et quel fut ma surprise : un nouvel article...

# Follow Up 3/17/2006 8:03 AM Todd Bleeker

Some have found that they need to add an additional line of code (see below) in the UseAppPoolIdentity() function after the following existing code: //Existing code ctx = WindowsIdentity.Impersonate(System.IntPtr.Zero); //Code to add WindowsIdentity.Impersonate(WindowsIdentity.GetCurrent().Token); I don't fully understand why a second call to impersonation would be necessary but I've had several people tell me that it helped them.

# SharePoint Web Parts: Free 3rd Party SharePoint Web Parts &amp; Tools 6/1/2006 3:49 PM The Boiler Room - Mark Kruger, SharePoint MVP

For those who aggregate my feed and do not often visit the blog iteself... I've updated my SharePoint...

# Free SharePoint Web Parts (3rd Party) 6/26/2007 10:15 AM The Boiler Room - Mark Kruger, Microsoft SharePoin

Free SharePoint Web Parts (3rd Party) Konrad Brunner - UGS&#39;s Web Parts (broken link 8/25) Document

# IncludeRootFolder=true - causing a permissions problem | keyongtech 1/21/2009 7:48 PM Pingback/TrackBack

IncludeRootFolder=true - causing a permissions problem | keyongtech


Comments on this post are closed.
Title  
Name  
Url
CAPTCHA
Protected by Clearscreen.SharpHIPEnter the code you see:
Comments