Please explain impersonation for non-technical users.Then please explain it in the context of ASP.NET. Is Impersonation good or evil? Do we use it in the case of Forms-based Authentication?
请解释非技术用户的模拟。然后请在ASP.NET的上下文中解释。冒充是好还是坏?我们是否在基于表单的身份验证的情况下使用它?
3 个解决方案
#1
8
You should check out Keith Brown's description of impersonation. It is really a Windows concept.
你应该查看Keith Brown对模仿的描述。它实际上是一个Windows概念。
When you have an application using forms authentication (FA) the IIS process is running under the credentials of a specific user setup in IIS.
当您使用表单身份验证(FA)的应用程序时,IIS进程在IIS中的特定用户设置的凭据下运行。
Example: If you have a user called Bob logged on using FA and and IIS setup to run as Network Service. Bob accesses a page which makes a web service call to another computer, the other computer will see the IIS user and not Bob. You can use impersonation to allow Bob to access the web service as a real Windows user and not Network Service.
示例:如果您有一个名为Bob的用户使用FA登录并且IIS设置作为网络服务运行。 Bob访问一个页面,该页面将Web服务调用到另一台计算机,另一台计算机将看到IIS用户而不是Bob。您可以使用模拟来允许Bob以真正的Windows用户身份访问Web服务,而不是网络服务。
Impersonation is not evil but it can be misused. You really need to understand the impact on your overall security model. It is also something that create a lot of work for developer to debug. This is especially the case if you do not have admin rights to the resource (eg. web service) you are trying to access.
假冒不是邪恶的,但它可能被滥用。您真的需要了解对整体安全模型的影响。它也为开发人员调试创造了大量工作。如果您对您尝试访问的资源(例如Web服务)没有管理员权限,则尤其如此。
#2
7
Web applications run through a web server. That web server runs as a user with different permissions than yourself. Impersonation allows the application to run as you (or any other user with different priveledges on the cmoputer), as if you were logged in to the computer running it itself.
Web应用程序通过Web服务器运行。该Web服务器以具有不同于您自己的权限的用户身份运行。模拟允许应用程序以您(或在cmoputer上具有不同priveledges的任何其他用户)运行,就像您已登录到运行它本身的计算机一样。
It actually makes things quite good. It allows you another way to grant/restrict access to protected files on the computer.
它实际上使事情变得非常好。它允许您以另一种方式授予/限制对计算机上受保护文件的访问权限。
And yes, you can apply it using Forms Authentication (but you don't have to).
是的,您可以使用表单身份验证来应用它(但您不必这样做)。
#3
2
ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.
ASP.NET应用程序可以使用发出请求的用户的Windows身份(用户帐户)执行。模拟通常用于依赖Microsoft Internet信息服务(IIS)对用户进行身份验证的应用程序。
ASP.NET impersonation is disabled by default. If impersonation is enabled for an ASP.NET application, that application runs in the context of the identity whose access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_MACHINENAME identity).
默认情况下禁用ASP.NET模拟。如果为ASP.NET应用程序启用了模拟,则该应用程序将在其访问令牌IIS传递给ASP.NET的标识的上下文中运行。该令牌可以是经过身份验证的用户令牌,例如登录的Windows用户的令牌,也可以是IIS为匿名用户提供的令牌(通常是IUSR_MACHINENAME标识)。
#1
8
You should check out Keith Brown's description of impersonation. It is really a Windows concept.
你应该查看Keith Brown对模仿的描述。它实际上是一个Windows概念。
When you have an application using forms authentication (FA) the IIS process is running under the credentials of a specific user setup in IIS.
当您使用表单身份验证(FA)的应用程序时,IIS进程在IIS中的特定用户设置的凭据下运行。
Example: If you have a user called Bob logged on using FA and and IIS setup to run as Network Service. Bob accesses a page which makes a web service call to another computer, the other computer will see the IIS user and not Bob. You can use impersonation to allow Bob to access the web service as a real Windows user and not Network Service.
示例:如果您有一个名为Bob的用户使用FA登录并且IIS设置作为网络服务运行。 Bob访问一个页面,该页面将Web服务调用到另一台计算机,另一台计算机将看到IIS用户而不是Bob。您可以使用模拟来允许Bob以真正的Windows用户身份访问Web服务,而不是网络服务。
Impersonation is not evil but it can be misused. You really need to understand the impact on your overall security model. It is also something that create a lot of work for developer to debug. This is especially the case if you do not have admin rights to the resource (eg. web service) you are trying to access.
假冒不是邪恶的,但它可能被滥用。您真的需要了解对整体安全模型的影响。它也为开发人员调试创造了大量工作。如果您对您尝试访问的资源(例如Web服务)没有管理员权限,则尤其如此。
#2
7
Web applications run through a web server. That web server runs as a user with different permissions than yourself. Impersonation allows the application to run as you (or any other user with different priveledges on the cmoputer), as if you were logged in to the computer running it itself.
Web应用程序通过Web服务器运行。该Web服务器以具有不同于您自己的权限的用户身份运行。模拟允许应用程序以您(或在cmoputer上具有不同priveledges的任何其他用户)运行,就像您已登录到运行它本身的计算机一样。
It actually makes things quite good. It allows you another way to grant/restrict access to protected files on the computer.
它实际上使事情变得非常好。它允许您以另一种方式授予/限制对计算机上受保护文件的访问权限。
And yes, you can apply it using Forms Authentication (but you don't have to).
是的,您可以使用表单身份验证来应用它(但您不必这样做)。
#3
2
ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.
ASP.NET应用程序可以使用发出请求的用户的Windows身份(用户帐户)执行。模拟通常用于依赖Microsoft Internet信息服务(IIS)对用户进行身份验证的应用程序。
ASP.NET impersonation is disabled by default. If impersonation is enabled for an ASP.NET application, that application runs in the context of the identity whose access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_MACHINENAME identity).
默认情况下禁用ASP.NET模拟。如果为ASP.NET应用程序启用了模拟,则该应用程序将在其访问令牌IIS传递给ASP.NET的标识的上下文中运行。该令牌可以是经过身份验证的用户令牌,例如登录的Windows用户的令牌,也可以是IIS为匿名用户提供的令牌(通常是IUSR_MACHINENAME标识)。