冒充ASP.NET声称身份的Windows标识 [英] Impersonating ASP.NET claims identity to windows identity
问题描述
我有一个 ASP.NET应用程序它采用债权基地认证对ADFS。我还通过声明为Windows身份服务映射到一个 WindowsClaimsIdentity 。这工作正常。
I have an ASP.NET application which uses claims bases authentication against ADFS. I also map it to a WindowsClaimsIdentity by using the Claims to Windows Identity Service. That works fine.
但现在我需要模拟当前请求/线程,所以我可以访问服务,这是不知道索赔。我应该怎么办呢?
But now I need to impersonate the current request/thread so I can access a service which is not claims aware. How should I do that?
我应该获得了 WindowsImpersonationContext 在 Application_PostAuthenticate 事件,并保存在的HttpContext .Items ,然后在 Application_EndRequest 调用Undo方法?
Should I acquired a WindowsImpersonationContext in the Application_PostAuthenticate event and save that in the HttpContext.Items and then in the Application_EndRequest call the Undo method?
还是有其他的preferred的方式来做到这一点?
Or are there other preferred ways to do this?
更新:由于我没有得到什么preferred方式任何提示冒充我想尽自己的建议。我创造了这个的global.asax.cs code:
Update: As I didn't get any hints on what the preferred way to impersonate I tried my own suggestion. I created this code in the global.asax.cs:
private static readonly string WICKey = typeof(System.Security.Principal.WindowsImpersonationContext).AssemblyQualifiedName;
protected void Application_PostAuthenticateRequest()
{
var wid = User.Identity as System.Security.Principal.WindowsIdentity;
if (wid != null)
{
HttpContext.Current.Trace.Write("PostAuthenticateRequest PreImpersonate: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
HttpContext.Current.Items[WICKey] = wid.Impersonate();
HttpContext.Current.Trace.Write("PostAuthenticateRequest PostImpersonate: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
}
}
protected void Application_EndRequest()
{
var wic = HttpContext.Current.Items[WICKey] as System.Security.Principal.WindowsImpersonationContext;
if (wic != null)
{
HttpContext.Current.Trace.Write("EndRequest PreUndoImpersonate: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
wic.Undo();
HttpContext.Current.Trace.Write("EndRequest PostUndoImpersonate: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
}
}
当我看向跟踪日志我看到这个
When I look to the trace log I see this
PostAuthenticateRequest PreImpersonate: NT AUTHORITY\NETWORK SERVICE
PostAuthenticateRequest PostImpersonate: MyDomain\CorrectUser
Home: NT AUTHORITY\NETWORK SERVICE
EndRequest PreUndoImpersonate: NT AUTHORITY\NETWORK SERVICE
EndRequest PostUndoImpersonate: NT AUTHORITY\NETWORK SERVICE
因此,在第二行,你可以看到线程正确模拟。但在接下来的线,你看到模拟丢失。 (第三行从控制器起源)。
So in the second line you can see the thread is impersonated correctly. But in the next lines you see that the impersonation is lost. (the third line originates from a controller).
当我用下面的code在本地冒充正常工作:
When I use the following code to impersonate locally it works fine:
var wid = User.Identity as System.Security.Principal.WindowsIdentity;
if (wid != null)
{
using (var ctx = wid.Impersonate())
{
//Do something
}
}
但我想冒充整个请求生命周期。
我应该怎么办呢?
But I want to impersonate the whole request lifetime. How should I do that?
推荐答案
您说的后端服务并不要求知道。你能否解释一下?你的意思是编译code不是索赔知道,但你有能力修改web.config文件?如果是这样,那么你可以尝试配置后端服务由WSFederationAuthenticationModule楔入用于authN的WIF管道,SessionAuthenticationModule和一个自定义ClaimsAuthorizationManager如果您还需要做的authz。然后,可以使用时,你的ASP.NET应用程序调用后端服务WIF的ACTAS或OnBehalfOf功能。
You said the backend service is not claims aware. Can you elaborate on this? Do you mean that the compiled code is not claims aware but you have the ability modify the web.config file? If so then you can try to configure the backend service to use the WIF pipeline for authN by wedging in the WSFederationAuthenticationModule, SessionAuthenticationModule and a custom ClaimsAuthorizationManager if you need to also do authZ. You can then use WIF's ActAs or OnBehalfOf features when your ASP.NET application calls the backend service.
这篇关于冒充ASP.NET声称身份的Windows标识的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
