Impersonation?

  • Thread starter Thread starter Arpan
  • Start date Start date
A

Arpan

The .NET2 documentation defines impersonation as thus:

----------
When using Impersonation, ASP.NET applications can execute with the
Windows identity (user account) of the user making the request.
----------

First of all, what does the above definition of Impersonation actually
mean? Can someone please explain me this preferably with examples?

Secondly, is it always necessary that for any ASP.NET application to
execute successfully, that ASP.NET application must have an identity?
If yes, assuming that the <identity> element is not used in the
web.config file & that I login to my (Win2K Pro) m/c with the username
"Administrator" (without the quotes) & password "abcd" (again, without
the quotes), then what is the identity of the ASP.NET application when
I request a ASPX page from IE6.0?

Thanks,

Arpan
 
When you install the dotnet framework, and IIS is already installed, there
is a user account created.

MyMachine\ASPNET

Check your users list.

The default behavior is that a website runs under this account. The dotnet
setup setups the normal/most common rights for this account.

However, you can add web.config entries, and you can override (impersonate)
another account.

Lets say you had .jpg files on a fileserver in your network

\\myfileserver\images\

You write a web application which copies a .jpg from the myfileserver, and
streams the images across the internet.

The reason you might do this, is if you have 1,000,000 images, and the
enduser only looks at a few of those, then you don't want to copy all files
to the webserver.

Ok... so that's the business rule.

In order to copy files from \\myfileserver\images\ .... you must be able to
see these files. (read privs)

You can either grant read priv to the MyMachine\ASPNET account
OR
impersonate a totally different user, which has read privs.

That's a basic example.

I ~believe when you impersonate, you dont get MyMachine\ASPNET and
\\mydomain\some_user priv's... you only get the impersonating user.
 
Back
Top