Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > anonymous access + impersonation

Reply
Thread Tools

anonymous access + impersonation

 
 
yonido@gmail.com
Guest
Posts: n/a
 
      01-30-2006
Hello,

I'm writing a web method which calls a COM+ method, which I need to
call with the user that logged on to windows and invoked the WebMethod
(impersonation).

Simple impersonation works (impersonte=true in web.config) - however, i
need that only a certain part of the code will run in this context. For
other parts, i need different grant opions.

So that where code-impersonation comes in (using
HttpContext.Current.User.Indetity and calling Impersonate()).

For example:

[WebMethod]
public void ConfusedMethod()
{
// This lines will need some powerful grants
WriteSomethingToEventLog();
OpenFileInSystemDirectory();

// This lines should be run with the user
DoImpersonation();
CallComComponent();
UndoImpersonation();
}

THE PROBLEM IS:
i need the first lines to run with a differnet user. i dont want to use
2 impersonations.
i want all the other parts - which are not in the impersonation scope -
to run with a user ill configure in IIS (NOT "network service"!)

tried the following:
1 - configure the webservice to run as anonymous access, with a certain
user. but then Impersonate() doesnt work (exception - cant impersonate
with an anonymous user).

2 - configure the webservice as windows-integrated security. now i
want to decide which user will run the "default lines". so the only way
i see - is create an application pool with identity=MyDefaultUser.
when doing this, i get an http 401 error (unauthorized) if i try to
call the web service. the only user which works is if i call the
webservice with MyDefaultUser.

I DO set the credentials for the webservice (defaultCredentials) - so
thats not the problem.

whats the correct way to accomplish that?

 
Reply With Quote
 
 
 
 
Yunus Emre ALP÷ZEN [MVP]
Guest
Posts: n/a
 
      01-30-2006
Hello,

My advice u to impersonate your com+ component not ASP.NET or IIS. To
accomplish this u must register your com+ component under a com+ application
that is configured to run as a server application(or you can modify IIS
application protection level). Impersonate this com+ application. Add read&
execute rights for the physical dll for ASPNET user and give directory
listing rights on that hard drive...

This is the easiest way to do this. But it might has some security risks i
am not sure.. Be careful on this scenario. "Anyone who can call your com+
component will have impersonated user's rights and permissions.. "

--
HTH

Thanks,
Yunus Emre ALP÷ZEN
BSc, MCSD.NET
Microsoft .NET & Security MVP

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hello,
>
> I'm writing a web method which calls a COM+ method, which I need to
> call with the user that logged on to windows and invoked the WebMethod
> (impersonation).
>
> Simple impersonation works (impersonte=true in web.config) - however, i
> need that only a certain part of the code will run in this context. For
> other parts, i need different grant opions.
>
> So that where code-impersonation comes in (using
> HttpContext.Current.User.Indetity and calling Impersonate()).
>
> For example:
>
> [WebMethod]
> public void ConfusedMethod()
> {
> // This lines will need some powerful grants
> WriteSomethingToEventLog();
> OpenFileInSystemDirectory();
>
> // This lines should be run with the user
> DoImpersonation();
> CallComComponent();
> UndoImpersonation();
> }
>
> THE PROBLEM IS:
> i need the first lines to run with a differnet user. i dont want to use
> 2 impersonations.
> i want all the other parts - which are not in the impersonation scope -
> to run with a user ill configure in IIS (NOT "network service"!)
>
> tried the following:
> 1 - configure the webservice to run as anonymous access, with a certain
> user. but then Impersonate() doesnt work (exception - cant impersonate
> with an anonymous user).
>
> 2 - configure the webservice as windows-integrated security. now i
> want to decide which user will run the "default lines". so the only way
> i see - is create an application pool with identity=MyDefaultUser.
> when doing this, i get an http 401 error (unauthorized) if i try to
> call the web service. the only user which works is if i call the
> webservice with MyDefaultUser.
>
> I DO set the credentials for the webservice (defaultCredentials) - so
> thats not the problem.
>
> whats the correct way to accomplish that?
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IIS seetings for impersonation with basic authenticaion and Anonymous access sitaramig Software 0 06-03-2007 06:48 AM
anonymous access + impersonation yonido@gmail.com ASP .Net Security 5 01-31-2006 11:24 AM
IIS Not using anonymous impersonation MattC ASP .Net Security 2 01-06-2005 10:06 AM
Programmatically getting impersonation and anonymous user name =?Utf-8?B?amVzdGVy?= ASP .Net 1 09-23-2004 05:04 PM
ASP.NET Anonymous Impersonation sam ASP .Net Security 5 08-19-2004 09:21 AM



Advertisments