Web services Sharepoint RunWithElevatedPrivileges与模拟
我花了几个小时在一个奇怪的“bug”上,这个bug涉及一个.NETWeb服务请求广告信息用户权限的web方法 好消息是我修好了程序错误,但我会理解为什么纠正是有效的。 带有错误的web方法如下:Web services Sharepoint RunWithElevatedPrivileges与模拟,web-services,sharepoint,impersonation,Web Services,Sharepoint,Impersonation,我花了几个小时在一个奇怪的“bug”上,这个bug涉及一个.NETWeb服务请求广告信息用户权限的web方法 好消息是我修好了程序错误,但我会理解为什么纠正是有效的。 带有错误的web方法如下: public bool ValidateTask(string originatingUser) { SPUserToken userToken = null; // get the System account for impersonation string userTok
public bool ValidateTask(string originatingUser)
{
SPUserToken userToken = null;
// get the System account for impersonation
string userToken = site.SystemAccount.UserToken;
using (SPSite rootSite = new SPSite(site.ID, userToken))
{
using (SPWeb web = rootSite.OpenWeb())
{
// get the domain name of the application pool of the web app
string servicesDomain =
StringUtilities.GetDomain(site.WebApplication.ApplicationPool.ManagedAccount.Username);
// get the domain name of the user
string accountsDomain = StringUtilities.GetDomain(originatingUser);
PrincipalContext ServicesDomainContext =
new PrincipalContext(ContextType.Domain, servicesDomain);
PrincipalContext AccountsDomainContext =
new PrincipalContext(ContextType.Domain, accountsDomain);
// COMException when the FindByIdentity is called because
// AccountsDomainContext.connectedServer throw exception
using (UserPrincipal usr =
UserPrincipal.FindByIdentity(AccountsDomainContext, IdentityType.SamAccountName, originatingUser))
{
// get user groups memberships
}
}
// check groups memberships and return the true or false
}
}
public bool ValidateTask(string originatingUser)
{
SPSecurity.RunWithElevatedPrivileges(
delegate ()
{
...
using (SPSite rootSite = new SPSite(site.ID))
{
using (SPWeb web = rootSite.OpenWeb())
{
// get the domain name of the application pool of the web app
string servicesDomain =
StringUtilities.GetDomain(site.WebApplication.ApplicationPool.ManagedAccount.Username);
// get the domain name of the user
string accountsDomain = StringUtilities.GetDomain(originatingUser);
PrincipalContext ServicesDomainContext =
new PrincipalContext(ContextType.Domain, servicesDomain);
PrincipalContext AccountsDomainContext =
new PrincipalContext(ContextType.Domain, accountsDomain);
using (UserPrincipal usr =
UserPrincipal.FindByIdentity(AccountsDomainContext, IdentityType.SamAccountName, originatingUser))
{
// get user groups memberships
}
}
}
// check groups memberships and return the true or false
}
); // end of delegate method
}
带有更正的web方法如下:
public bool ValidateTask(string originatingUser)
{
SPUserToken userToken = null;
// get the System account for impersonation
string userToken = site.SystemAccount.UserToken;
using (SPSite rootSite = new SPSite(site.ID, userToken))
{
using (SPWeb web = rootSite.OpenWeb())
{
// get the domain name of the application pool of the web app
string servicesDomain =
StringUtilities.GetDomain(site.WebApplication.ApplicationPool.ManagedAccount.Username);
// get the domain name of the user
string accountsDomain = StringUtilities.GetDomain(originatingUser);
PrincipalContext ServicesDomainContext =
new PrincipalContext(ContextType.Domain, servicesDomain);
PrincipalContext AccountsDomainContext =
new PrincipalContext(ContextType.Domain, accountsDomain);
// COMException when the FindByIdentity is called because
// AccountsDomainContext.connectedServer throw exception
using (UserPrincipal usr =
UserPrincipal.FindByIdentity(AccountsDomainContext, IdentityType.SamAccountName, originatingUser))
{
// get user groups memberships
}
}
// check groups memberships and return the true or false
}
}
public bool ValidateTask(string originatingUser)
{
SPSecurity.RunWithElevatedPrivileges(
delegate ()
{
...
using (SPSite rootSite = new SPSite(site.ID))
{
using (SPWeb web = rootSite.OpenWeb())
{
// get the domain name of the application pool of the web app
string servicesDomain =
StringUtilities.GetDomain(site.WebApplication.ApplicationPool.ManagedAccount.Username);
// get the domain name of the user
string accountsDomain = StringUtilities.GetDomain(originatingUser);
PrincipalContext ServicesDomainContext =
new PrincipalContext(ContextType.Domain, servicesDomain);
PrincipalContext AccountsDomainContext =
new PrincipalContext(ContextType.Domain, accountsDomain);
using (UserPrincipal usr =
UserPrincipal.FindByIdentity(AccountsDomainContext, IdentityType.SamAccountName, originatingUser))
{
// get user groups memberships
}
}
}
// check groups memberships and return the true or false
}
); // end of delegate method
}
===========================================================================
在sharepoint中,我认为模拟和RunWithElevatedPrivilege会产生相同的结果。
所以我的问题是:
1-那么为什么RunWithElevatedPrivilege有效呢
2-在WebMethod上下文中提升权限时,凭证是什么?这是SharePoint Web Services根用户的标识池帐户
3-我可以跟踪这两个方法的凭据吗?RunWithElevatedPrivileges在新线程中运行其中的代码。此新线程在当前应用程序池的帐户下运行。如果您调用它,例如,在应用程序池下是端口80上的web应用程序的应用程序。 使用带有用户令牌的新SPSite只会在已定义用户的上下文中打开SPSite,而不会启动新线程。
您可以通过调用WindowsIdentity来跟踪当前用户。currentRunWithElevatedPrivileges在新线程中运行其中的代码。此新线程在当前应用程序池的帐户下运行。如果您调用它,例如,在应用程序池下是端口80上的web应用程序的应用程序。 使用带有用户令牌的新SPSite只会在已定义用户的上下文中打开SPSite,而不会启动新线程。
您可以通过调用WindowsIdentity.current来跟踪当前用户,以获得回复。我的asmx文件位于template\layouts文件夹中,dll位于GAC中。用户令牌是“sharepoint\system”帐户。但当我们使用新的SPSite(siteId、usertoken)进行模拟时,我们在sharepoint上下文中拥有完全权限,但当我们在AD(或文件系统)上执行查询时,WindowsIdentity仍然是调用web服务的当前用户。这就是为什么RunWithLevelatedPrivileges功能更强大的原因,因为新线程的回复为ApplicationPoolidentity.Thx。我的asmx文件位于template\layouts文件夹中,dll位于GAC中。用户令牌是“sharepoint\system”帐户。但当我们使用新的SPSite(siteId、usertoken)进行模拟时,我们在sharepoint上下文中拥有完全权限,但当我们在AD(或文件系统)上执行查询时,WindowsIdentity仍然是调用web服务的当前用户。这就是为什么RunWithElevatedPrivileges由于具有ApplicationPoolidentity的新线程而更强大。