Passing Impersonation to new Thread

  • Thread starter Thread starter C
  • Start date Start date
C

C

All,

I am trying to run my BO in a separate thread, so that I can give the
user a visual of the status of my process in a asp.net page/site. All
works fine, IF the ASPNET user has admin rights, (in order to do the
tasks in the BO). Now, I impersonate the admin user in the web.config
after removing his admin rights from my machine, then I ran the code
below, in a page_load. The Name of the security principal is the
administrator I have specified in the web.config. However, this
impersonation does not get carried over to new threads, as I have
found out when I am getting the WindowsIdentity in my BO.

(Explained here as well)
http://www.asp.net/whitepaper/aspnet_hosting_public.doc

So, my question is, how do I instantiate a new thread, and assign the
same security context to it, as I have in my AppDomain?

I have tried doing it in my BO, but then again, we need a lot of other
permissions set for the ASPNET user and or change the machine.config,
etc, etc..

Is there any way to cary over my user rights to the new thread t?

Other articles:
http://www.dotnetspider.com/Technology/KBPages/403.aspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
http://www.bluevisionsoftware.com/WebSite/TipsAndTricksDetails.aspx?Name=AspNetAccount
http://groups.google.co.uk/groups?h...f&[email protected]

CODE SAMPLE FROM PAGE_LOAD:
//admin user
Response.Write (System.Security.Principal.WindowsIdentity
..GetCurrent().Name );

//SOME CODE...
#region SITE OBJECT & THREAD CREATION
if(Session["o_site"]==null)//CREATES NEW OBJECTS FOR SESSION
{
o_site = new Site ();
o_site.Load_Customer_Data (s_valid_site);

t = new Thread (new ThreadStart (o_site.CreateSite ));
//the user in o_site.CreateSite is 'ASPNET' user, when it
executes!
t.Start ();
while(!t.IsAlive );

Session["o_site"] = o_site;
Session["o_t"] = t;
}
else//REUSE
{
t = (Thread)Session["o_t"];
o_site = (Site)Session["o_site"];
}
#endregion

Thanks Dudes.
 
when nt (and .net) starts a thread, it get the security token of the
process, not the thread it created. to impersonate the creating thread you
will need to add some code. to do this you will need, to add the
impersonation permission to the asp.net account (off by default), then look
at the win32 calls:

RevertToSelf
DuplicateToken

and the .net call

(new WindowsIdentity(token)).Impersonate()

basically you want to pass the security token of the starting thread to the
started thread. it must be a primary token, use DuplicateToken for this.

-- bruce (sqlwork.com)



| All,
|
| I am trying to run my BO in a separate thread, so that I can give the
| user a visual of the status of my process in a asp.net page/site. All
| works fine, IF the ASPNET user has admin rights, (in order to do the
| tasks in the BO). Now, I impersonate the admin user in the web.config
| after removing his admin rights from my machine, then I ran the code
| below, in a page_load. The Name of the security principal is the
| administrator I have specified in the web.config. However, this
| impersonation does not get carried over to new threads, as I have
| found out when I am getting the WindowsIdentity in my BO.
|
| (Explained here as well)
| http://www.asp.net/whitepaper/aspnet_hosting_public.doc
|
| So, my question is, how do I instantiate a new thread, and assign the
| same security context to it, as I have in my AppDomain?
|
| I have tried doing it in my BO, but then again, we need a lot of other
| permissions set for the ASPNET user and or change the machine.config,
| etc, etc..
|
| Is there any way to cary over my user rights to the new thread t?
|
| Other articles:
| http://www.dotnetspider.com/Technology/KBPages/403.aspx
| http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
|
http://www.bluevisionsoftware.com/WebSite/TipsAndTricksDetails.aspx?Name=AspNetAccount
|
http://groups.google.co.uk/groups?h...f&[email protected]
|
| CODE SAMPLE FROM PAGE_LOAD:
| //admin user
| Response.Write (System.Security.Principal.WindowsIdentity
| .GetCurrent().Name );
|
| //SOME CODE...
| #region SITE OBJECT & THREAD CREATION
| if(Session["o_site"]==null)//CREATES NEW OBJECTS FOR SESSION
| {
| o_site = new Site ();
| o_site.Load_Customer_Data (s_valid_site);
|
| t = new Thread (new ThreadStart (o_site.CreateSite ));
| //the user in o_site.CreateSite is 'ASPNET' user, when it
| executes!
| t.Start ();
| while(!t.IsAlive );
|
| Session["o_site"] = o_site;
| Session["o_t"] = t;
| }
| else//REUSE
| {
| t = (Thread)Session["o_t"];
| o_site = (Site)Session["o_site"];
| }
| #endregion
|
| Thanks Dudes.
 
Back
Top