OWIN Web API Windows服务-Windows身份模拟 [英] OWIN Web API Windows Service - Windows Identity Impersonation

问题描述

这是一个Intranet应用.

This is an intranet app.

我有一个Windows Server上以服务帐户运行的WebAPI Owin自托管应用程序.

I have a WebAPI Owin selfhosting app running on a Windows Server under a service account.

前端是AngularJS，它通过此Web API与数据库对话.

The Front end is AngularJS which talks to the database through this Web API.

我想要的是在需要数据库交互的API上调用任何操作时，使用用户凭据连接到数据库，而不是服务帐户本身.

What I want is when any action is invoked on the API which requires database interaction, the user credentials are used to connect to the database, and not the service account itself.

我正在使用Windows身份验证，并且已在Startup类的httpListener上启用了Ntlm身份验证，并且能够对用户进行身份验证.

I am using Windows authentication, and I have enabled Ntlm authentication on the httpListener in the Startup class, and I am able to authenticate the user.

当我向Web api提交请求时，我可以看到Thread.CurrentPrincipal返回当前用户，但是数据库连接失败，因为它试图使用服务帐户而不是用户凭据连接到数据库.

When I submit a request to Web api, I can see that the Thread.CurrentPrincipal returns the current user, but the database connection fails, because it is trying to connect to the database using the service account, and not the user credentials.

请告诉我如何将用户凭据从Web API传递到数据库

Please tell me how to pass the user credentials to the database from Web API

推荐答案

您应该这样模拟呼叫用户:

You should impersonate the calling user like this:

public void PerformDBOperationAsCallingUser()
{
    WindowsIdentity callingUser = (WindowsIdentity)Thread.CurrentPrincipal.Identity;

    using (WindowsImpersonationContext wic = callingUser.Impersonate())
    {
        // do your impersonated work here...
        // check your identity like this:
        var name = WindowsIdentity.GetCurrent().Name;
    }
}

很高兴将这段代码用作工作单元周围的装饰器.但是取决于您设计的其余部分.

Would be nice to use this piece of code as a decorator around your unit of work. But depends on the rest of your design.

这篇关于OWIN Web API Windows服务-Windows身份模拟的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！