|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Thread.CurrentPrincipal only set onceWhen having the AppDomain.Current.SetPrincipalPolicy(WindowsPrincipal) static
method set, the current process's Principal is propagated to the current thread to be used for Role-based access check. This happens the FIRDT time one asks for this property of the thread. Now - when doing an impersonation, the thread's principal is propagated to reflect this new principal (i.e. the impersonated user). Question: How come this property (CurrentPrincipal) on the thread is NOT updated when e.g. reverting the impersonation? The threads Principal STILL reflects the impersonated user as this was the very first time a request was made for the principal (by the RBS system of .NET) /Claus Impersonation and Thread.CurrentPrincipal have nothing to do with each other.
T.CP is a .NET concept to set up a security context you wanna do access checks against, e.g. IsInRole - impersonation is a Windows feature to change the token against which the Windows kernel does access checks against. I would not use SetPrincipalPolicy. Just set T.CP to whatever you want - e.g. Thread.CurrentPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent()); --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > When having the AppDomain.Current.SetPrincipalPolicy(WindowsPrincipal) > static method set, the current process's Principal is propagated to > the current thread to be used for Role-based access check. > > This happens the FIRDT time one asks for this property of the thread. > Now - when doing an impersonation, the thread's principal is > propagated to reflect this new principal (i.e. the impersonated user). > > Question: How come this property (CurrentPrincipal) on the thread is > NOT updated when e.g. reverting the impersonation? The threads > Principal STILL reflects the impersonated user as this was the very > first time a request was made for the principal (by the RBS system of > .NET) > > /Claus > Thanks.
That was actually what I ended up doing (setting the T.CP = what ever) manually. But - then, what is the actual purpose of the SetPrincipalPolicy if it can not be used more than once (or so it appears)? /Claus Show quoteHide quote "Dominick Baier" wrote: > Impersonation and Thread.CurrentPrincipal have nothing to do with each other. > > T.CP is a .NET concept to set up a security context you wanna do access checks > against, e.g. IsInRole - impersonation is a Windows feature to change the > token against which the Windows kernel does access checks against. > > I would not use SetPrincipalPolicy. > > Just set T.CP to whatever you want - e.g. Thread.CurrentPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent()); > > --- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > When having the AppDomain.Current.SetPrincipalPolicy(WindowsPrincipal) > > static method set, the current process's Principal is propagated to > > the current thread to be used for Role-based access check. > > > > This happens the FIRDT time one asks for this property of the thread. > > Now - when doing an impersonation, the thread's principal is > > propagated to reflect this new principal (i.e. the impersonated user). > > > > Question: How come this property (CurrentPrincipal) on the thread is > > NOT updated when e.g. reverting the impersonation? The threads > > Principal STILL reflects the impersonated user as this was the very > > first time a request was made for the principal (by the RBS system of > > .NET) > > > > /Claus > > > > > to set it once :P
--- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Thanks. > > That was actually what I ended up doing (setting the T.CP = what ever) > manually. > But - then, what is the actual purpose of the SetPrincipalPolicy if it > can > not be used more than once (or so it appears)? > /Claus > > "Dominick Baier" wrote: > >> Impersonation and Thread.CurrentPrincipal have nothing to do with >> each other. >> >> T.CP is a .NET concept to set up a security context you wanna do >> access checks against, e.g. IsInRole - impersonation is a Windows >> feature to change the token against which the Windows kernel does >> access checks against. >> >> I would not use SetPrincipalPolicy. >> >> Just set T.CP to whatever you want - e.g. Thread.CurrentPrincipal = >> new WindowsPrincipal(WindowsIdentity.GetCurrent()); >> >> --- >> Dominick Baier, DevelopMentor >> http://www.leastprivilege.com >>> When having the >>> AppDomain.Current.SetPrincipalPolicy(WindowsPrincipal) static method >>> set, the current process's Principal is propagated to the current >>> thread to be used for Role-based access check. >>> >>> This happens the FIRDT time one asks for this property of the >>> thread. Now - when doing an impersonation, the thread's principal is >>> propagated to reflect this new principal (i.e. the impersonated >>> user). >>> >>> Question: How come this property (CurrentPrincipal) on the thread >>> is NOT updated when e.g. reverting the impersonation? The threads >>> Principal STILL reflects the impersonated user as this was the very >>> first time a request was made for the principal (by the RBS system >>> of .NET) >>> >>> /Claus >>> 
Other interesting topics
CASPOL - StrongName trusts not being applied
TripleDES output size Problem with pkcs #7 strong name validation failed problem Trusting a location for Framework 2.x how to use microsoft application blocks ent lib june 2005 Windows File Encryption Re: Encrypting using RSA private Key How to prevent RSACryptoServiceProvider constructor from crating a new keypair every time Get SID History |
|||||||||||||||||||||||
