Todd Bleeker's 12 Hive

 All MindsharpBlogs

Are you pondering what I'm pondering?

My Links

Post Categories

Archives

Blog Stats

Even Better Impersonation

tempALT:images/Advisor/Cover.gif    In my recent SharePoint Advisor Article: Secure SharePoint Code Using Credential-less Impersonation, I describe a method of using the App Pool identity to complete tasks that the authenticated user doesn't have permission to do. Although I'm not a security expert, I wanted to share this approach that I find very beneficial. The RevertToAppPool class that I provide in the article requires an operating system routine which in turn requires the code to have Full trust (still better than storing credentials IMHO). However, I've recently become aware of an approach that achieves the same kind of impersonation under the preferred WSS_Medium trust level instead of Full.

Use the following RevertToAppPool class in place of the one that I provide in the article to achieve this goal:
using System.Security.Principal;

namespace Mindsharp.Utilities
{
  public class RevertToAppPool
  {
    private WindowsImpersonationContext ctx = null;

    //Revert to the original application pool security context
    //We only want to do this if we are not already running as the system
    public void UseAppPoolIdentity()
    {
      try
      {
        if (!WindowsIdentity.GetCurrent().IsSystem)
        {
          ctx = WindowsIdentity.Impersonate(System.IntPtr.Zero);
        }
      }
      catch{}
    }

    //Return to impersonating the authenticated user
    //Anonymous users are impersonated as IUSR_machinename, by default
    public void ReturnToImpersonatingCurrentUser()
    {
      try
      {
        if(ctx != null)
        {
          ctx.Undo();
        }
      }
      catch{}
    }
  }
}
 
tempALT:images/shim.gif
C#		 tempALT:images/shim.gif
VB		  

The code to call the RevertToAppPool class follows:

protected override void RenderWebPart(HtmlTextWriter output)
{
  try
  {
    output.Write("before:" + WindowsIdentity.GetCurrent().Name + "<BR>");
    Mindsharp.Utilities.RevertToAppPool reverter =
      new Mindsharp.Utilities.RevertToAppPool();

    reverter.UseAppPoolIdentity();
    output.Write("reverted:" + WindowsIdentity.GetCurrent().Name
      + "<BR>");

    reverter.ReturnToImpersonatingCurrentUser();
    output.Write("after:" + WindowsIdentity.GetCurrent().Name + "<BR>");

    EnsureChildControls();
    RenderChildren(output);
  }
  catch(Exception ex)
  {
    output.Write("<H1>" + ex.Message + "</H1>");
  }
}
 
tempALT:images/shim.gif
C#		 tempALT:images/shim.gif
VB		  
Thanks to Jeff Goddard in London, England for bringing this awesome option to my attention. As always, it is important to realize that any privilege that you give to the App Pool account could theoretically be exploited by someone with ill intensions. For most SharePoint implementations, this kind of class will be God-sent.

<Todd />

posted on Tuesday, May 03, 2005 7:46 PM

Feedback

# Impersonation in SharePoint web parts 5/10/2005 9:17 AM Alex's blog about SharePoint and .NET

Todd Bleeker wrote an article in SharePoint Advisor Magazine about "Secure Share

# re: Even Better Impersonation 5/14/2005 3:44 PM Maurice Prather

Although this is a common class/technique that a lot of folks use from time to time, be aware that the SharePoint OM will not always honor your reverted state. I've posted more info at http://www.bluedoglimited.com/SharePointThoughts/ViewPost.aspx?ID=7 Maurice

# re: The two biggest problems in Sharepoint development - and they really are annoying! 10/20/2005 2:52 PM Lovely Weather?

# That quirky SharePoint Object Model... 1/4/2006 5:12 PM Chris Johnson

I had another chance yesterday to do battle with something in the SharePoint Object Model.&nbsp; These...

# MSDN : un floril&#233;ge d'astuce haut niveau pour le dev SharePoint 3/14/2006 8:03 AM The Mit's Blog

En parcourant le MSDN, je suis allé sur le SDK SharePoint, et quel fut ma surprise : un nouvel article...

# Follow Up 3/17/2006 8:03 AM Todd Bleeker

Some have found that they need to add an additional line of code (see below) in the UseAppPoolIdentity() function after the following existing code: //Existing code ctx = WindowsIdentity.Impersonate(System.IntPtr.Zero); //Code to add WindowsIdentity.Impersonate(WindowsIdentity.GetCurrent().Token); I don't fully understand why a second call to impersonation would be necessary but I've had several people tell me that it helped them.

# SharePoint Web Parts: Free 3rd Party SharePoint Web Parts &amp; Tools 6/1/2006 3:49 PM The Boiler Room - Mark Kruger, SharePoint MVP

For those who aggregate my feed and do not often visit the blog iteself... I've updated my SharePoint...

# Free SharePoint Web Parts (3rd Party) 6/26/2007 10:15 AM The Boiler Room - Mark Kruger, Microsoft SharePoin

Free SharePoint Web Parts (3rd Party) Konrad Brunner - UGS&#39;s Web Parts (broken link 8/25) Document

# re: Even Better Impersonation 5/31/2008 9:40 AM Youtube

thanks.nice great

# re: Even Better Impersonation 6/5/2008 5:50 AM Youtube

For those who aggregate my feed and do not often visit the blog iteself... I've updated my SharePoint...

# re: Even Better Impersonation 6/19/2008 2:00 AM Youtube

very nice

# re: Even Better Impersonation 6/23/2008 12:23 AM ensest hikayeler

en guzel ensest hikayeleri

# re: Even Better Impersonation 7/3/2008 7:18 PM trabzonspor

Great article, thank you.

# karadeniz 8/19/2008 3:45 PM forummavi

Hi…internet is very good world. Because we are learning the information. And than one day fall down internet, we are tobe orphanhood. Thank you very much…

# re: Even Better Impersonation 9/26/2008 4:10 AM aşkı memnu

thx

# Cafe Paylaşım 9/28/2008 10:27 AM paylaşım

thank you very much

# re: Even Better Impersonation 10/11/2008 11:17 AM oyunlar

http://www.oyunara.net http://www.oyunim.com http://www.bizimmekan.com


thank you

# re: Even Better Impersonation 10/28/2008 10:15 PM seks

onlardan thanks dielim very good!

# re: Even Better Impersonation 10/29/2008 1:44 AM sohbet

I liked to read it. it was verry wel written.

# re: Even Better Impersonation 10/29/2008 1:44 AM radyo dinle

I liked to read it. it was verry wel written.

# re: Even Better Impersonation 10/29/2008 1:45 AM müzik dinle

I liked to read it. it was verry wel written.

# re: Even Better Impersonation 10/30/2008 3:24 AM sohbet

woww super

# re: Even Better Impersonation 10/31/2008 2:24 AM ilaclama

ilaclama Hizmetleri

http://www.berfinilaclama.com
http://www.bocekilaclama.gen.tr
http://www.etkinilaclama.net

# re: Even Better Impersonation 11/5/2008 3:03 AM youtubeline

oh thanks dear

# re: Even Better Impersonation 11/13/2008 4:19 PM türkü dinle

I liked to read it. it was verry wel written.

# re: Even Better Impersonation 11/14/2008 8:53 AM oto kiralama

Thanks a lot man

# re: Even Better Impersonation 11/14/2008 8:54 AM araç kiralama

thanks man good performance

# re: Even Better Impersonation 11/17/2008 12:36 PM Chat

Import the new STP into the destination Web's list template gallery. You will need to delete it if it has previously been imported.

# re: Even Better Impersonation 11/17/2008 12:36 PM Sohbet

Import the new STP into the destination Web's list template gallery. You will need to delete it if it has previously been imported.

# re: Even Better Impersonation 11/17/2008 12:36 PM Sohbet Odaları

Import the new STP into the destination Web's list template gallery. You will need to delete it if it has previously been imported.

# re: Even Better Impersonation 11/17/2008 12:37 PM Canlı TV

Import the new STP into the destination Web's list template gallery. You will need to delete it if it has previously been imported.

# re: Even Better Impersonation 11/19/2008 11:06 PM mirc

http://www.mirclen.org
http://www.klavyetc.org
http://www.sohbetigor.com

Title  
Name  
Url
CAPTCHA
Protected by Clearscreen.SharpHIPEnter the code you see:
Comments