Use identity simulation in ASP.NET applications (IMPERSONATION)
Author:
Summary
By default, the ASP.NET application runs in this unit's ASPNET account, which belongs to the ordinary user group, and the permissions are limited to secure the ASP.NET application. However, sometimes there is a certain ASP.NET application or some code in the program to perform actions that require specific permissions, such as access to a file, then you need to give a certain account to a certain piece of code. Permissions to perform this operation, this method is called an identity simulation. This article describes several ways to use identity simulation in the ASP.NET application and compare their respective applications.
Before reading this article, it is recommended that you read the article first: "Authentication in ASP .NET: .NET Security Guide" to have an overall understanding of the security control of ASP.NET.
table of Contents
ASP.NET's identity simulation IIS authentication account Simulates the specified user account in a ASP.NET application in code to simulate IIS authentication account in code Simulate specified user account More information
Identity simulation in ASP.NET
ASP.NET implements authentication by using authentication provider, in general, ASP.NET's authentication provider includes format authentication, Windows authentication, and PASSPORT authentication. When authenticated by authentication, the ASP.NET checks if the identity simulation is enabled. If enabled, the ASP .NET application uses the client ID to be executed in the client's identity. Otherwise, the ASP.NET application uses this unit identity to run (generally using this ASPNET account), the specific process is shown below:
Using identity simulation in the ASP.NET application is generally used for resource access control, there are several ways:
Analog IIS Certified Account Analog Specified User Account in a ASP.NET application In code analog IIS authentication account in code analog specified user account
Analog IIS certified account
This is the easiest way to perform an application using an IIS authenticated account. You need to add it in the web.config file
Tag and set the Impersonate property to true:
In this case, the authentication of user identity is handed over to IIS. When an anonymous login is allowed, IIS handed an anonymous login to the ASP.NET application to the ASP.NET application. When anonymous login is not allowed, IIS passes the authenticated identity ID to the ASP.NET application. The specific access of ASP.NET is determined by the permission of the account.
Simulated specified user account
When the ASP.NET application needs to be executed with a specific user account, you can be on the web.config file
Specify specific user account in the tag:
At this time, all requests for all pages of the ASP.NET application will be executed at the specified user account permission.
Simulate IIS Certification Account in Code
Use the identity simulation in the code, you can use the identity simulation in the specified code segment, and restore the use of the ASPNET native account outside of the code segment. This method requires the use of Windows authentication identity. The following example simulates the IIS authentication account in the code:
Visual Basic .NET
Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity currentWindowsIdentity = CType (User.Identity, System.Security.Principal.WindowsIdentity) impersonationContext = currentWindowsIdentity.Impersonate () 'Insert your code that runs under The security context of the authenticating user here. impersonationContext.undo () Visual C # .net
System.security.principal.windowsimpersonationContext ImpersonationContext;
ImpersonationContext = (System.Security.principal.windowsidentity) User.Identity) .impersonate ();
// INSERT YOUR Code That Runs Under The Security Context of the Authenticating User He.
ImpersonationContext.undo ();
Simulate the specified user account in your code
The following example simulates the specified user account in the code:
Visual Basic .NET
<% @ Page language = "VB"%> <% @ Import namespace = "system.Web"%> <% @ import namespace = "system.Web.security"%> <% @ import namespace = "system.security. Principal "%> <% @ Import Namespace =" System.Runtime.InteropServices "%>