advapi32.dll 的 LogonUserA 会影响 ASP.net 中的整个应用程序池吗?
Does advapi32.dll's LogonUserA affect the whole application pool in ASP.net?
注意以下文章:
How to implement impersonation in an ASP.NET application
特别是 "Impersonate a Specific User in Code" 位。
它利用了 advapi32.dll 的 LogonUserA() 和 DuplicateToken() 方法(Windows API?)。
如果我们在特定的 aspx 文件(函数)中使用此方法来针对特定任务模拟 "DOMAIN\John Smith" - 我们可以肯定地说只有那个 aspx 请求冒充 John,或者整个应用程序池运行 作为 John Smith,直到在完成所述函数时调用 undoImpersonation()?
有问题的代码(以防上述 link 变暗):
Dim LOGON32_LOGON_INTERACTIVE As Integer = 2
Dim LOGON32_PROVIDER_DEFAULT As Integer = 0
Dim impersonationContext As WindowsImpersonationContext
Declare Function LogonUserA Lib "advapi32.dll" (ByVal lpszUsername As String, _
ByVal lpszDomain As String, _
ByVal lpszPassword As String, _
ByVal dwLogonType As Integer, _
ByVal dwLogonProvider As Integer, _
ByRef phToken As IntPtr) As Integer
Declare Auto Function DuplicateToken Lib "advapi32.dll" ( _
ByVal ExistingTokenHandle As IntPtr, _
ByVal ImpersonationLevel As Integer, _
ByRef DuplicateTokenHandle As IntPtr) As Integer
Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Long
Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Long
Public Sub Page_Load(ByVal s As Object, ByVal e As EventArgs)
If impersonateValidUser("username", "domain", "password") Then
'Insert your code that runs under the security context of a specific user here.
undoImpersonation()
Else
'Your impersonation failed. Therefore, include a fail-safe mechanism here.
End If
End Sub
Private Function impersonateValidUser(ByVal userName As String, _
ByVal domain As String, ByVal password As String) As Boolean
Dim tempWindowsIdentity As WindowsIdentity
Dim token As IntPtr = IntPtr.Zero
Dim tokenDuplicate As IntPtr = IntPtr.Zero
impersonateValidUser = False
If RevertToSelf() Then
If LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
impersonationContext = tempWindowsIdentity.Impersonate()
If Not impersonationContext Is Nothing Then
impersonateValidUser = True
End If
End If
End If
End If
If Not tokenDuplicate.Equals(IntPtr.Zero) Then
CloseHandle(tokenDuplicate)
End If
If Not token.Equals(IntPtr.Zero) Then
CloseHandle(token)
End If
End Function
Private Sub undoImpersonation()
impersonationContext.Undo()
End Sub
模拟是特定于线程的,而不是针对整个应用程序。
我修改了您的 page_load 以包含一个证明该事实的简单逻辑。
演示
原始用户(应用程序池)和模拟用户都将以不同的时间间隔在调试控制台中写入。请注意,模拟用户是来自另一个线程的 运行,并且将每秒输出一次其用户名,而应用程序池用户(主线程)输出保留在主线程上并每 100 毫秒输出一次其名称。
Public Sub Page_Load(ByVal s As Object, ByVal e As EventArgs)
Dim Task As New System.Threading.Tasks.Task(Sub()
If impersonateValidUser("Username", "Domain", "Password") Then
Dim Watch As New Diagnostics.Stopwatch()
Watch.Start()
While Watch.ElapsedMilliseconds < 10000
System.Threading.Thread.Sleep(1000)
Diagnostics.Debug.WriteLine(WindowsIdentity.GetCurrent.Name)
End While
'Insert your code that runs under the security context of a specific user here.
undoImpersonation()
Else
'Your impersonation failed. Therefore, include a fail-safe mechanism here.
End If
End Sub)
Task.Start()
While Not Task.IsCompleted
System.Threading.Thread.Sleep(100)
Diagnostics.Debug.WriteLine("--" & WindowsIdentity.GetCurrent.Name)
End While
End Sub
注意以下文章:
How to implement impersonation in an ASP.NET application
特别是 "Impersonate a Specific User in Code" 位。
它利用了 advapi32.dll 的 LogonUserA() 和 DuplicateToken() 方法(Windows API?)。
如果我们在特定的 aspx 文件(函数)中使用此方法来针对特定任务模拟 "DOMAIN\John Smith" - 我们可以肯定地说只有那个 aspx 请求冒充 John,或者整个应用程序池运行 作为 John Smith,直到在完成所述函数时调用 undoImpersonation()?
有问题的代码(以防上述 link 变暗):
Dim LOGON32_LOGON_INTERACTIVE As Integer = 2
Dim LOGON32_PROVIDER_DEFAULT As Integer = 0
Dim impersonationContext As WindowsImpersonationContext
Declare Function LogonUserA Lib "advapi32.dll" (ByVal lpszUsername As String, _
ByVal lpszDomain As String, _
ByVal lpszPassword As String, _
ByVal dwLogonType As Integer, _
ByVal dwLogonProvider As Integer, _
ByRef phToken As IntPtr) As Integer
Declare Auto Function DuplicateToken Lib "advapi32.dll" ( _
ByVal ExistingTokenHandle As IntPtr, _
ByVal ImpersonationLevel As Integer, _
ByRef DuplicateTokenHandle As IntPtr) As Integer
Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Long
Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Long
Public Sub Page_Load(ByVal s As Object, ByVal e As EventArgs)
If impersonateValidUser("username", "domain", "password") Then
'Insert your code that runs under the security context of a specific user here.
undoImpersonation()
Else
'Your impersonation failed. Therefore, include a fail-safe mechanism here.
End If
End Sub
Private Function impersonateValidUser(ByVal userName As String, _
ByVal domain As String, ByVal password As String) As Boolean
Dim tempWindowsIdentity As WindowsIdentity
Dim token As IntPtr = IntPtr.Zero
Dim tokenDuplicate As IntPtr = IntPtr.Zero
impersonateValidUser = False
If RevertToSelf() Then
If LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
impersonationContext = tempWindowsIdentity.Impersonate()
If Not impersonationContext Is Nothing Then
impersonateValidUser = True
End If
End If
End If
End If
If Not tokenDuplicate.Equals(IntPtr.Zero) Then
CloseHandle(tokenDuplicate)
End If
If Not token.Equals(IntPtr.Zero) Then
CloseHandle(token)
End If
End Function
Private Sub undoImpersonation()
impersonationContext.Undo()
End Sub
模拟是特定于线程的,而不是针对整个应用程序。 我修改了您的 page_load 以包含一个证明该事实的简单逻辑。
演示
原始用户(应用程序池)和模拟用户都将以不同的时间间隔在调试控制台中写入。请注意,模拟用户是来自另一个线程的 运行,并且将每秒输出一次其用户名,而应用程序池用户(主线程)输出保留在主线程上并每 100 毫秒输出一次其名称。
Public Sub Page_Load(ByVal s As Object, ByVal e As EventArgs)
Dim Task As New System.Threading.Tasks.Task(Sub()
If impersonateValidUser("Username", "Domain", "Password") Then
Dim Watch As New Diagnostics.Stopwatch()
Watch.Start()
While Watch.ElapsedMilliseconds < 10000
System.Threading.Thread.Sleep(1000)
Diagnostics.Debug.WriteLine(WindowsIdentity.GetCurrent.Name)
End While
'Insert your code that runs under the security context of a specific user here.
undoImpersonation()
Else
'Your impersonation failed. Therefore, include a fail-safe mechanism here.
End If
End Sub)
Task.Start()
While Not Task.IsCompleted
System.Threading.Thread.Sleep(100)
Diagnostics.Debug.WriteLine("--" & WindowsIdentity.GetCurrent.Name)
End While
End Sub