c# library impersonate problem

2019-09-06 04:02发布

I'm working on a website that has been coded by someone else. The application contains three layers. A website, a web service and a library. The Web service is up for other application to call methods and everything. The website is used by workers to performs queries and everything.

The problem is : The website use the web service that use the library instead of going directly to the library. I want to remove the web service usage and use the library straight away instead. Unfortunately, the library isn't able to connect an external server when called directly from the web site.

The web service used the impersonate method in his web config like so :

 <?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
  <compilation defaultLanguage="c#" debug="true" />
  <authorization>
    <allow users="*" />
  </authorization>
  <authentication mode="Windows" />
  <identity
  impersonate="true"
  userName="USERNAME_HERE"
  password="PASSWORD_HERE" />
  <sessionState
      mode="InProc"
      stateConnectionString="tcpip=10.96.8.37:42424"
      sqlConnectionString="data source=10.96.8.37;Trusted_Connection=yes"
      cookieless="false"
      timeout="20" />
</system.web>

When the web service use the library, the library identity turns out to be the username specified in the web.config. But when I call it from the website directly the user turns out to be : MY_COMPUTER\ASPNET

How can I sucessfully impersonate within the library itself?

Thanks!

EDIT

Ok, I thought of adding the impersonate piece of code in the website's web.config instead. It turned out that the library used the correct user but the request takes forever and never end. Do you know what could be wrong?

1条回答
兄弟一词,经得起流年.
2楼-- · 2019-09-06 04:43

At first glance, you could use these entries in the web.config of your transactional website.

<authorization>
  <allow users="*" />
</authorization>
<authentication mode="Windows" />
<identity
impersonate="true"
userName="USERNAME_HERE"
password="PASSWORD_HERE" />

However you want to be really sure this is the right thing to do before you do it.

Security is a big thorny problem that can turn around and bite you in the ass pretty hard. Whichever user you use here should be single purpose. It should have exactly the permissions you need and no more.

Why can't you give the MY_COMPUTER\ASPNET user permissions on the external server?

There are ways to impersonate for a short time which will probably solve your problem more cleanly. I will let someone who actually knows that answer tell you what it is though.

查看更多
登录 后发表回答