11.3 System Identity in ASP.NET

Previous page
Table of content
Next page

Throughout this chapter, we have discussed authenticating clients and how to work with the "identity" of clients . In all cases, the identity we were referring to was the managed identity of the client, recognized only by the .NET runtime. Another equally important identity to consider is the system identity, which affects the way code runs on a particular machine.

By default, the ASP.NET worker process runs under a special account created for ASP.NET called ASPNET. This account by default is granted only users rights, which means that it is quite restricted in what it can do on the machine. This is a good thing, because it prevents potential hackers who might gain access to your machine through this account from doing much damage. If you decide that you want to change the identity of the worker process, it is configurable through the machine.configprocessModel element. The options are to specify a username of machine (the default) or System (run as the LOCAL_SYSTEM account), or some hard-coded username. If you specify machine or system , you can leave the password attribute set to AutoGenerate , but if you specify a particular user, you must specify the password for that user in clear text. Listing 11-20 shows the processModel portion of a machine.config file with the default system identity setting of machine .

Listing 11-20 Using processModel to Control the Identity of aspnet_wp.exe 
 <! File: machine.config > <configuration>   <! ... >   <system.web>     <processModel enable="true" timeout="Infinite"          idleTimeout="Infinite" shutdownTimeout="0:00:05"          requestLimit="Infinite" requestQueueLimit="5000"          restartQueueLimit="10" memoryLimit="60"          webGarden="false" cpuMask="0xffffffff"  userName="machine" password="AutoGenerate"  logLevel="Errors" clientConnectedCheck="0:00:05"          comAuthenticationLevel="Connect"          comImpersonationLevel="Impersonate"          responseRestartDeadlockInterval="00:09:00"          responseDeadlockInterval="00:03:00"          maxWorkerThreads="25" maxIoThreads="25"/>     <! ... >   </system.web> </configuration>

If you try to do anything that requires system credentials, such as modifying files on the file system, or writing to the registry, you will find that the default privileges of the ASPNET account will stop you. The best approach to deal with this is to add the ASPNET account to the list of users allowed to perform whatever task you are trying to perform, rather than "punting" and changing the identity of the worker process altogether. For example, if you want to write data to an XML file on your system, modify the permissions of that XML file to include write permissions for the ASPNET account.

If you are using Windows authentication, you may want to take advantage of the fact that you can impersonate the client by using his Windows login credentials on the thread servicing the request within the worker process. To enable impersonation, add an identity element to your web.config file and set its impersonate attribute to true , as shown in Listing 11-21. This gives the thread used to service the request all the privileges associated with the client making the request.

Listing 11-21 Impersonating a Client 
 <! File: web.config > <configuration>   <system.web>     <identity impersonate="true" />   </system.web> </configuration>

Previous page
Table of content
Next page
Essential ASP.NET With Examples in C#
Essential ASP.NET With Examples in C#
ISBN: 0201760401
EAN: 2147483647
Year: 2003
Pages: 94
Authors: Fritz Onion
BUY ON AMAZON
SQL Hacks
Mapping Hacks: Tips & Tools for Electronic Cartography
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Programming Microsoft ASP.NET 3.5
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy