My DBA requires all database access to be done through trusted domain account. This can be done if you set the web.config . This requires the user to login or to be on the domain for IE pass the credentials through. I want to impersonate a user by using code. I am using the code found in this knowledgebase article:
我的DBA要求通过受信任的域帐户进行所有数据库访问。这可以通过设置web来实现。配置。这要求用户登录或进入IE的域,以通过IE的凭据。我想通过使用代码模拟用户。我正在使用知识库文章中的代码:
http://support.microsoft.com/kb/306158
http://support.microsoft.com/kb/306158
It works great, I pass in the credentials, impersonate the user, then make the call to the database and data is returned.
它工作得很好,我传入凭证,模拟用户,然后调用数据库并返回数据。
The problem is if I go to another page, I lose my impersonated credentials. This means every time I make a call to the database I have to run the impersonate code.
问题是,如果我转到另一个页面,就会丢失模拟凭证。这意味着每次调用数据库时,我都必须运行模拟代码。
If IIS can impersonate a domain user for all pages, then why can I not impersonate a user while using code?
如果IIS可以为所有页面模拟域用户,那么为什么我不能在使用代码时模拟用户呢?
It seems to be something with thread context switching. I have tried setting the alwaysFlowImpersonatingPolicy in the Aspnet.config file and it did not work.
它似乎是线程上下文切换。我尝试过在Aspnet中设置永远的floswimatingpolicy。配置文件,它不起作用。
http://msdn.microsoft.com/en-us/library/ms229553.aspx
http://msdn.microsoft.com/en-us/library/ms229553.aspx
Any suggestion? Is it even possible to do what I want?
任何建议吗?有可能做我想做的事吗?
2 个解决方案
#1
3
Impersonation occurs at the level of the thread. Impersonation causes the access token of the thread, which is usually inherited from the process, to be replaced with another. The best practice is to revert the effect of impersonation and thus the token as soon as you are done with the operation(s) for which it was needed. The story is no different with IIS or ASP.NET. Each request is usually handled by a distinct thread so you will have to make each thread impersonate the user.
模拟发生在线程级别。模拟导致线程的访问标记(通常从进程继承)被另一个替换。最佳实践是在完成所需的操作之后,立即恢复模拟的效果,从而恢复令牌。IIS和ASP.NET的情况也差不多。每个请求通常由一个不同的线程处理,因此必须使每个线程模拟用户。
This means every time I make a call to the database I have to run the impersonate code.
这意味着每次调用数据库时,我都必须运行模拟代码。
So that is correct.
这是正确的。
If IIS can impersonate a domain user for all pages, then why can I not impersonate a user while using code?
如果IIS可以为所有页面模拟域用户,那么为什么我不能在使用代码时模拟用户呢?
IIS does not do it any differently and so it may only be a perceived illusion. It cannot impersonate a user for all pages unless all pages are being served by the same thread and where the impersonated token has never been reverted as each page is served.
IIS不会做任何不同的事情,所以它可能只是一个感知的错觉。它不能为所有页面模拟用户,除非所有页面都由相同的线程服务,并且在每个页面被服务时,模拟的令牌从未被恢复。
It seems to be something with thread context switching.
它似乎是线程上下文切换。
Not really. Unless you are doing asynchronous processing (which you don't state you do in your question), the flow of the impersonation context won't be relevant. You only need to worry about flowing the impersonation context if you are causing a thread switch either directly or indirectly during the processing of a single request. If you want that the work done by a secondary (worker) thread continues to occur under the impersonation context of the primary one then you need to make sure the secondary thread borrows the impersonation token. In .NET Framework 1.1, you would have to take great care and manually orchestrate the flow of the impersonation context. With .NET 2.0, however, the ExecutionContext API was introduced and does a lot of the heavy-lifting.
不是真的。除非您正在进行异步处理(在您的问题中没有说明),否则模拟上下文的流将不相关。如果在处理单个请求期间直接或间接地导致线程切换,则只需要担心模拟上下文的流动。如果您希望辅助(worker)线程所做的工作继续发生在主线程的模拟上下文中,那么您需要确保辅助线程借用模拟令牌。在. net Framework 1.1中,您必须非常小心,并手动编排模拟上下文的流。然而,在. net 2.0中,引入了ExecutionContext API,并做了很多繁重的工作。
#2
1
The reason you're losing the impersonation context is because each time a new page request ends the impersonation context will go out of scope.
丢失模拟上下文的原因是,每当一个新的页面请求结束时,模拟上下文就会超出范围。
As per the docs <alwaysFlowImpersonationPolicy> is used to ensure the same impersonation context is maintained across async calls. For example when making an async call to a remote web service the callback impersonation context is the same one as the initiating thread. In the case of ASP.NET the impersonation context would only flow for the lifetime of the page request.
根据docs < alwaysflowimationpolicy >用于确保跨异步调用维护相同的模拟上下文。例如,在对远程web服务进行异步调用时,回调模拟上下文与初始线程相同。以ASP为例。NET模拟上下文将只在页面请求的生命周期中流动。
#1
3
Impersonation occurs at the level of the thread. Impersonation causes the access token of the thread, which is usually inherited from the process, to be replaced with another. The best practice is to revert the effect of impersonation and thus the token as soon as you are done with the operation(s) for which it was needed. The story is no different with IIS or ASP.NET. Each request is usually handled by a distinct thread so you will have to make each thread impersonate the user.
模拟发生在线程级别。模拟导致线程的访问标记(通常从进程继承)被另一个替换。最佳实践是在完成所需的操作之后,立即恢复模拟的效果,从而恢复令牌。IIS和ASP.NET的情况也差不多。每个请求通常由一个不同的线程处理,因此必须使每个线程模拟用户。
This means every time I make a call to the database I have to run the impersonate code.
这意味着每次调用数据库时,我都必须运行模拟代码。
So that is correct.
这是正确的。
If IIS can impersonate a domain user for all pages, then why can I not impersonate a user while using code?
如果IIS可以为所有页面模拟域用户,那么为什么我不能在使用代码时模拟用户呢?
IIS does not do it any differently and so it may only be a perceived illusion. It cannot impersonate a user for all pages unless all pages are being served by the same thread and where the impersonated token has never been reverted as each page is served.
IIS不会做任何不同的事情,所以它可能只是一个感知的错觉。它不能为所有页面模拟用户,除非所有页面都由相同的线程服务,并且在每个页面被服务时,模拟的令牌从未被恢复。
It seems to be something with thread context switching.
它似乎是线程上下文切换。
Not really. Unless you are doing asynchronous processing (which you don't state you do in your question), the flow of the impersonation context won't be relevant. You only need to worry about flowing the impersonation context if you are causing a thread switch either directly or indirectly during the processing of a single request. If you want that the work done by a secondary (worker) thread continues to occur under the impersonation context of the primary one then you need to make sure the secondary thread borrows the impersonation token. In .NET Framework 1.1, you would have to take great care and manually orchestrate the flow of the impersonation context. With .NET 2.0, however, the ExecutionContext API was introduced and does a lot of the heavy-lifting.
不是真的。除非您正在进行异步处理(在您的问题中没有说明),否则模拟上下文的流将不相关。如果在处理单个请求期间直接或间接地导致线程切换,则只需要担心模拟上下文的流动。如果您希望辅助(worker)线程所做的工作继续发生在主线程的模拟上下文中,那么您需要确保辅助线程借用模拟令牌。在. net Framework 1.1中,您必须非常小心,并手动编排模拟上下文的流。然而,在. net 2.0中,引入了ExecutionContext API,并做了很多繁重的工作。
#2
1
The reason you're losing the impersonation context is because each time a new page request ends the impersonation context will go out of scope.
丢失模拟上下文的原因是,每当一个新的页面请求结束时,模拟上下文就会超出范围。
As per the docs <alwaysFlowImpersonationPolicy> is used to ensure the same impersonation context is maintained across async calls. For example when making an async call to a remote web service the callback impersonation context is the same one as the initiating thread. In the case of ASP.NET the impersonation context would only flow for the lifetime of the page request.
根据docs < alwaysflowimationpolicy >用于确保跨异步调用维护相同的模拟上下文。例如,在对远程web服务进行异步调用时,回调模拟上下文与初始线程相同。以ASP为例。NET模拟上下文将只在页面请求的生命周期中流动。