Upload using alternative user premissions/credentials

Last post 07-15-2010, 3:52 AM by DanMcCoy. 4 replies.
Sort Posts: Previous Next
  •  07-12-2010, 10:07 AM 62431

    Upload using alternative user premissions/credentials

    Hello
     
    How can I specify alternative user credentials for the Ajax Uploader to use when accessing the TempDirectory?
     
    We have technical requirement to be able to specify a directory for which the aspnet account does not have permission. But I can't find any options to be able to set a an alternative user name and password to use.
     
  •  07-13-2010, 8:34 AM 62454 in reply to 62431

    Re: Upload using alternative user premissions/credentials

  •  07-13-2010, 9:07 AM 62456 in reply to 62454

    Re: Upload using alternative user premissions/credentials

    Unfortunately this does not meet our needs.
     
    We currently use impersonation for other disk read and write functionality, but we do not want the entire application to use impersonation all of the time.
     
    In code (just before a disk read/write) we initialise impersonation, perform the disk action, then end the impersonation, so that only during the disk activity does the application have more privileges than normal.
     
    I have tried to attach a file to this forum post but keep receiving the error 'You do not have permission to upload or link to files. Please contact your system administrator.',
     
    please find attached the class and pseudo code  sample of how we currently implement impersonation.
     
     
    public class ImpersonateUser
        {
            public const int LOGON32_LOGON_INTERACTIVE = 2;
            public const int LOGON32_PROVIDER_DEFAULT = 0;

            private string _userName = "";
            public string UserName
            {
              get { return _userName; }
              set { _userName = value; }
            }

            private string _domain = "";
            public string Domain
            {
              get { return _domain; }
              set { _domain = value; }
            }

            private string _password = "";
            public string Password
            {
              get { return _password; }
              set { _password = value; }
            }

            private bool _active = false;
            public bool Active
            {
                get { return _active; }
            }

            WindowsImpersonationContext impersonationContext;

            [DllImport("advapi32.dll")]
            private static extern int LogonUserA(string lpszUserName,
                string lpszDomain,
                string lpszPassword,
                int dwLogonType,
                int dwLogonProvider,
                ref IntPtr phToken);

            [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
            private static extern int DuplicateToken(IntPtr hToken,
                int impersonationLevel,
                ref IntPtr hNewToken);

            [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
            private static extern bool RevertToSelf();

            [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
            private static extern bool CloseHandle(IntPtr handle);

            public ImpersonateUser(string userName, string domain, string password)
            {
                this.UserName = userName;
                this.Domain = domain;
                this.Password = password;
            }

            public bool Begin(string userName, string domain, string password)
            {
                this.UserName = userName;
                this.Domain = domain;
                this.Password = password;

                return Begin();
            }

            public bool Begin()
            {
                bool returnValue = false;

                WindowsIdentity tempWindowsIdentity;
                IntPtr token = IntPtr.Zero;
                IntPtr tokenDuplicate = IntPtr.Zero;

                if (RevertToSelf())
                {
                    if (LogonUserA(this.UserName, this.Domain, this.Password, LOGON32_LOGON_INTERACTIVE,
                        LOGON32_PROVIDER_DEFAULT, ref token) != 0)
                    {
                        if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
                        {
                            tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                            impersonationContext = tempWindowsIdentity.Impersonate();
                            if (impersonationContext != null)
                            {
                                returnValue = true;
                            }
                        }
                    }
                }
                if (token != IntPtr.Zero)
                    CloseHandle(token);
                if (tokenDuplicate != IntPtr.Zero)
                    CloseHandle(tokenDuplicate);

                // Store the active status
                this._active = returnValue;

                return returnValue;
            }

            public void End()
            {
                if (this.Active)
                {
                    impersonationContext.Undo();
                }
                this._active = false;
            }
        }
     
     
    PSEUDO CODE EXAMPLE of usage
    --------------------------
     
    // Begin the impersonation
    ImpersonateUser impersonateUser = new ImpersonateUser();
    impersonateUser.Begin();
     
    -- perform the disk access here!!!
     
    // End impersonation
    impersonateUser.End();
  •  07-14-2010, 9:34 PM 62494 in reply to 62431

    Re: Upload using alternative user premissions/credentials

  •  07-15-2010, 3:52 AM 62501 in reply to 62494

    Re: Upload using alternative user premissions/credentials

    Hi
     
    Thanks for your response Terry.
     
    The second of those two threads gets us pretty close to what we want;

    1. <add key="CuteWebUI.AjaxUploader.WindowsUsername" value="Terry" />  
    2. <add key="CuteWebUI.AjaxUploader.WindowsPassword" value="12345abcde" />  
    3. <add key="CuteWebUI.AjaxUploader.WindowsDomain" value="" /> 
    Web Application need <trust level="Full" /> for this option.

    Is there any way to set these options on an instance of the control itself (not from the web.config)?
    After we distibute our product we don't always have easy access to the web.config file afterwards. When ever we can, we try to store this type of setting elsewhere and set them dynamically.
    Is there any other way to set these three options?

    Also in post 62500 you mention the following:
    Web Application need <trust level="Full" /> for this option
    While the page loading , the page lifetime may be affect by this account setting!
    If not , use uploader.GetUploaderProvider() to ensure the uploader control impersonate the account
    How can the "GetUploaderProvider" method be used to help in this situation?
    I can't find any documentation or examples of how this method can be made use of.
    Are there any examples that anybody can point me to?
    How can this method be used to impersonate a user account without setting the trust level to full?
View as RSS news feed in XML