Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Using impersonation to allow writing to server directory?

Reply
Thread Tools

Using impersonation to allow writing to server directory?

 
 
darrel
Guest
Posts: n/a
 
      06-14-2005
I'm struggling with an odd permissions problem I have with one of my
functions. It takes a file, writes a directory, and then uploads some files
to it. This works. Once. Any subsequent attempt and writing new files to the
created directory results in an access denied error.

Thanks to a script by Keith Brown, I was able to determine who my
application was running as:

> ================================================== ====
>
> Unmanaged Process Identity: mycomputerid\ASPNET
> Unmanaged Thread Identity: mycomputerid\IUSR_mycomputerid
> Client Identity (HttpContext.User): [anonymous]
>
> ================================================== ====


The root folder I am writing too (and any child folder created by my script)
has the ASPNET user given full permissions. I don't have IUSER set up on any
of these folders.

Should I have IUSER set up with write permissions? Or is this where I should
consider using impersonation, and set up a new user just for writing to this
one parent directory? The one catch is that impersonation seems to be at an
application level...not an individual function level.

-Darrel


 
Reply With Quote
 
 
 
 
Brock Allen
Guest
Posts: n/a
 
      06-14-2005
This tells me you have <identity impersonate=true /> in your web.config.
This says to impersonate on the thread during execution the identity IIS
is using. IUSR_machine in your case, given that you must be allowing anonymous
access.

Ohh! You say it works once? This must mean you have the files left open?
Meaning, you've forgotten to close them, perhaps?

-Brock
DevelopMentor
http://staff.develop.com/ballen



> I'm struggling with an odd permissions problem I have with one of my
> functions. It takes a file, writes a directory, and then uploads some
> files to it. This works. Once. Any subsequent attempt and writing new
> files to the created directory results in an access denied error.
>
> Thanks to a script by Keith Brown, I was able to determine who my
> application was running as:
>
>> ================================================== ====
>>
>> Unmanaged Process Identity: mycomputerid\ASPNET
>> Unmanaged Thread Identity: mycomputerid\IUSR_mycomputerid
>> Client Identity (HttpContext.User): [anonymous]
>> ================================================== ====
>>

> The root folder I am writing too (and any child folder created by my
> script) has the ASPNET user given full permissions. I don't have IUSER
> set up on any of these folders.
>
> Should I have IUSER set up with write permissions? Or is this where I
> should consider using impersonation, and set up a new user just for
> writing to this one parent directory? The one catch is that
> impersonation seems to be at an application level...not an individual
> function level.
>
> -Darrel
>




 
Reply With Quote
 
 
 
 
darrel
Guest
Posts: n/a
 
      06-14-2005
> This tells me you have <identity impersonate=true /> in your web.config.
> This says to impersonate on the thread during execution the identity IIS
> is using. IUSR_machine in your case, given that you must be allowing

anonymous
> access.


Hmm...nope. No impersonation tag at all in my web.config file.

> Ohh! You say it works once? This must mean you have the files left open?
> Meaning, you've forgotten to close them, perhaps?


Maybe? That was my original thought. Here are the two key lines in my
function. The first creates the directory (if not created) and the second
saves the files.

system.IO.Directory.CreateDirectory(savePath)
postedFile.SaveAs(savePath & strUploadFileName)


The first time the function runs, the directory is created, and the is
uplaoded. It's after that that I get denied access. Do I need to 'release'
the new directory I create and the files I upload?

Also, here's the full function if it is of any help:

------------------------------------------------------------------

Private Sub uploadFile(fileToUpload as System.web.HttpPostedFile)
Dim saveVirtualPath As String = "/documents/forms/"
Dim savePath As String = Server.MapPath(saveVirtualPath)

if trim(secondaryCategoryDirectory) <> ""
savePath = savePath & fixName(primaryCategoryDirectory, "directory")
& "\" & fixName(secondaryCategoryDirectory, "directory")
else
savePath = savePath & fixName(primaryCategoryDirectory, "directory")
End If

if System.IO.Directory.Exists(savePath) then
'do nothing
else
response.Write("<p>CREATING DIRECTORY</p>")
system.IO.Directory.CreateDirectory(savePath)
End If

Dim strUploadFileName as string

'Make sure the path has a trailing slash
if Right( savePath, 1 ) <> "\" then savePath = savePath & "\"

Try

'Save some information from the upload and set up paths
Dim postedFile = fileToUpload 'fileUpload_DOC.PostedFile
Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
strUploadFileName =
fixName(System.IO.Path.GetFileName(PostedFile.File Name), "file")

'clean up the filename
strUploadFileName = fixName(strUploadFileName, "file")

'save the file
postedFile.SaveAs(savePath & strUploadFileName)

Catch exc As system.Exception
div_updateLog.Visible = true
lbl_updateLog.text = label_changeConfirmations.text &
"<p><b>Failed</b> to upload the file <i>" & strUploadFileName & ": " &
exc.InnerException.Message & _
"<br/>Please contact the system Administrator for help.</p>"
End Try
End Sub


 
Reply With Quote
 
Brock Allen
Guest
Posts: n/a
 
      06-14-2005
> Hmm...nope. No impersonation tag at all in my web.config file.

Hmm, perhaps in a parent web.config?

> The first time the function runs, the directory is created, and the is
> uplaoded. It's after that that I get denied access. Do I need to
> 'release' the new directory I create and the files I upload?


Hmm, no; CreateDirectory should be sufficient.

> system.IO.Directory.CreateDirectory(savePath)
> postedFile.SaveAs(savePath & strUploadFileName)


I'd debug just to make sure your filenames are correct. Also, consider using
Path.Combine to merge the directory name and the filename.

-Brock
DevelopMentor
http://staff.develop.com/ballen




 
Reply With Quote
 
darrel
Guest
Posts: n/a
 
      06-14-2005
> Hmm, perhaps in a parent web.config?

Nope.

> I'd debug just to make sure your filenames are correct.


Yep. I've done all that...response.writing every single string out.

Also, I can upload fine to the root directory. It's only ones that my
application creates that the access denied error happens.

> Also, consider using
> Path.Combine to merge the directory name and the filename.


I'll try that!

Otherwise, I think I'm going to set up a new user 'formUploads' and then
have my application run as that user via impersonation. Does that sound like
a valid solution?


 
Reply With Quote
 
Brock Allen
Guest
Posts: n/a
 
      06-14-2005
> Otherwise, I think I'm going to set up a new user 'formUploads' and
> then have my application run as that user via impersonation. Does that
> sound like a valid solution?


Well, it's still hard to tell what the exact problem is. I'd not want to
give advice without knowing for sure.

-Brock
DevelopMentor
http://staff.develop.com/ballen



 
Reply With Quote
 
darrel
Guest
Posts: n/a
 
      06-14-2005
> Well, it's still hard to tell what the exact problem is.

Hence my predicament. ;o)

-Darrel


 
Reply With Quote
 
Brock Allen
Guest
Posts: n/a
 
      06-14-2005
Heh... sorry that my last post wasn't too helpful

-Brock
DevelopMentor
http://staff.develop.com/ballen



>> Well, it's still hard to tell what the exact problem is.
>>

> Hence my predicament. ;o)
>
> -Darrel
>




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help. Getting a An error has occurred while establishing a connectionto the server. When connecting to SQL Server 2005, this failure may be causedby the fact that under the default settings SQL Server does not allow remote aboutjav.com@gmail.com ASP .Net 0 05-03-2008 12:43 PM
EventLog Access using impersonation in Windows Server 2003 =?Utf-8?B?Y2pr?= ASP .Net 4 11-01-2006 06:10 PM
newbie: allow deny vs deny allow Jeff ASP .Net 2 09-19-2006 02:12 AM
Location element in the Web.config file. Allow System Admin whole directory, allow others specific page Ryan Taylor ASP .Net Security 1 09-09-2004 06:52 PM
Impersonation failure with Index Server and Forms Authentication with Active Directory techfuzz ASP .Net 1 08-12-2003 05:54 AM



Advertisments