VSDOTNET - Securité http://www.vsdotnet.ch/ Un peu de mon expérience dans le monde .NET en-us Stéphane Schwartz Mon, 27 Aug 2007 14:09:47 GMT newtelligence dasBlog 2.3.9074.18820 stephane@vsdotnet.ch stephane@vsdotnet.ch http://www.vsdotnet.ch/Trackback.aspx?guid=3ff718c3-218f-4ea4-851d-5ce30c53986c http://www.vsdotnet.ch/pingback.aspx http://www.vsdotnet.ch/PermaLink,guid,3ff718c3-218f-4ea4-851d-5ce30c53986c.aspx Stéphane Schwartz http://www.vsdotnet.ch/CommentView,guid,3ff718c3-218f-4ea4-851d-5ce30c53986c.aspx http://www.vsdotnet.ch/SyndicationService.asmx/GetEntryCommentsRss?guid=3ff718c3-218f-4ea4-851d-5ce30c53986c Changer le WindowsIdentity en cours d’exécution (impersonalisation)… http://www.vsdotnet.ch/PermaLink,guid,3ff718c3-218f-4ea4-851d-5ce30c53986c.aspx http://www.vsdotnet.ch/2007/08/27/ChangerLeWindowsIdentityEnCoursDex%c3%a9cutionImpersonalisation.aspx Mon, 27 Aug 2007 14:09:47 GMT <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><font color=#000000><a href="http://www.blackberry.com/images/home_icons/security.gif" target=_top><img height=48 src="http://tbn0.google.com/images?q=tbn:7r8tV8TaKWMtUM:http://www.blackberry.com/images/home_icons/security.gif" width=54></a><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />&nbsp;Par défaut, le WindowsIdentity (system.security.principal) est celui de l’utilisateur logué, et est récupérable en utilisant l’instruction suivante&nbsp;:<o:p></o:p> </font></span> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 8pt; COLOR: #2b91af; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 10.0pt">WindowsIdentity</span><span style="FONT-SIZE: 8pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 10.0pt"><font color=#000000>.GetCurrent()<o:p></o:p> </font></span> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><font color=#000000>&nbsp;<o:p></o:p> </font></span> </p> <p class=MsoBodyText style="MARGIN: 0cm 0cm 0pt"> <font face="Courier New" color=#000000>Dans le cadre d’un projet, j’avais besoin que mon code s’execute temporairement sous une autre identité que celle de l’utilisateur executant l’application. Après quelques recherche, voici les trois étapes a effectuer&nbsp;:</font> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><font color=#000000>&nbsp;<o:p></o:p> </font></span> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <b><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><font color=#000000>1 - Se loguer avec le nouveau compte<o:p></o:p> </font></span></b> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><font color=#000000>&nbsp;<o:p></o:p> </font></span> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><font color=#000000>Pour se faire, on va utiliser l’API advapi32, dont voici la signature&nbsp;:<o:p></o:p> </font></span> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <font face="Courier New" color=#303030>[DllImport("advapi32.dll", SetLastError=true)]<br> public static extern bool LogonUser(<br> &nbsp;&nbsp;&nbsp;&nbsp;string lpszUsername, <br> &nbsp;&nbsp;&nbsp;&nbsp;string lpszDomain, <br> &nbsp;&nbsp;&nbsp;&nbsp;string lpszPassword, <br> &nbsp;&nbsp;&nbsp;&nbsp;int dwLogonType, <br> &nbsp;&nbsp;&nbsp;&nbsp;int dwLogonProvider, <br> &nbsp;&nbsp;&nbsp;&nbsp;out IntPtr phToken<br> &nbsp;&nbsp;&nbsp;&nbsp;);</font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <font color=#303030><font face="Courier New">&nbsp;<o:p></o:p> </font></font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><font color=#303030><font face="Courier New">Le code suivant&nbsp;retourne vrai si le login à réussi. Il retourne surtout le handler du token lié à ce login, que nous utiliserons plus tard.<o:p></o:p> </font></font></span> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <font face="Courier New" color=#303030>LogonUser(</font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 35.4pt"> <font face="Courier New" color=#303030>«&nbsp;nom d’utilisateur&nbsp;», </font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <font face="Courier New" color=#303030>«&nbsp;domaine&nbsp;», </font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <font face="Courier New" color=#303030>«&nbsp;mot de passe&nbsp;»,</font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <font face="Courier New" color=#303030>2, </font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <font face="Courier New" color=#303030>0, </font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <font face="Courier New" color=#303030>ref TokenHandler)</font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <font color=#303030><font face="Courier New">&nbsp;<o:p></o:p> </font></font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <b><span style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><font color=#303030><font face="Courier New">2 – Dupliquer le token<o:p></o:p> </font></font></span></b> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><font color=#303030><font face="Courier New">&nbsp;<o:p></o:p> </font></font></span> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><font color=#303030><font face="Courier New">A nouveau, il faut utiliser l’API advapi32&nbsp;:<o:p></o:p> </font></font></span> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <font face="Courier New" color=#303030>[DllImport("advapi32.dll", SetLastError=true)]<br> public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int<br> &nbsp;&nbsp; SECURITY_IMPERSONATION_LEVEL, out IntPtr DuplicateTokenHandle);</font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <font color=#303030><font face="Courier New">&nbsp;<o:p></o:p> </font></font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><font color=#303030><font face="Courier New">Le code suivant&nbsp;retourne vrai si la duplication à réussie. Il retourne aussi le token utiliser plus tard afin de créer un nouveau WindowsIdentity.<o:p></o:p> </font></font></span> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt"><font color=#303030><font face="Courier New">DuplicateToken(<o:p></o:p> </font></font></span> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <font color=#303030><font face="Courier New">TokenHandler<span style="FONT-SIZE: 10pt">, <o:p></o:p> </span></font></font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <span style="FONT-SIZE: 10pt"><font color=#303030><font face="Courier New">2, <o:p></o:p> </font></font></span> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <font face="Courier New"><span style="FONT-SIZE: 10pt; COLOR: blue">ref</span><span style="FONT-SIZE: 10pt"><font color=#303030> pDuplicateTokenHandle);<o:p></o:p> </font></span></font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt 35.4pt"> <font color=#303030><font face="Courier New">&nbsp;<o:p></o:p> </font></font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <font color=#303030><font face="Courier New">&nbsp;<o:p></o:p> </font></font> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <b><span style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><font color=#303030><font face="Courier New">3 – Créer un nouveau WindowsIdentity<o:p></o:p> </font></font></span></b> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><font color=#303030><font face="Courier New">&nbsp;<o:p></o:p> </font></font></span> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><font color=#303030><font face="Courier New">Opération qui est un jeu d’enfant, via le code suitant&nbsp;:<o:p></o:p> </font></font></span> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt; mso-layout-grid-align: none"> <span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><font color=#000000>&nbsp;<o:p></o:p> </font></span> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt; mso-layout-grid-align: none"> <span style="FONT-SIZE: 8pt; COLOR: #2b91af; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 10.0pt">WindowsIdentity</span><span style="FONT-SIZE: 8pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 10.0pt"><font color=#000000> newId = </font><span style="COLOR: blue">new</span><font color=#000000> </font><span style="COLOR: #2b91af">WindowsIdentity</span><font color=#000000>(pDuplicateTokenHandle);<o:p></o:p> </font></span> </p> <p class=MsoBodyText2 style="MARGIN: 0cm 0cm 0pt"> <font face="Courier New"><span style="COLOR: #2b91af; mso-bidi-font-size: 10.0pt">WindowsImpersonationContext</span><font color=#303030><span style="mso-bidi-font-size: 10.0pt"> impersonatedUser = newId.Impersonate();</span><span style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p> </span></font></font> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><font color=#000000><span style="mso-spacerun: yes">&nbsp;</span> <o:p></o:p> </font></span> </p> <p class=MsoNormal style="MARGIN: 0cm 0cm 0pt"> <span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><font color=#000000>&nbsp;<o:p></o:p> </font></span> </p> <p> <span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: FR; mso-fareast-language: FR; mso-bidi-language: AR-SA"><font color=#000000>Dorénavant, </font></span><span style="FONT-SIZE: 10pt; COLOR: #2b91af; FONT-FAMILY: 'Courier New'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: FR; mso-fareast-language: FR; mso-bidi-language: AR-SA">WindowsIdentity</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: FR; mso-fareast-language: FR; mso-bidi-language: AR-SA"><font color=#000000>.GetCurrent() retoune le nouveau WindowsIdentity et le code s’execute avec les droits de celui-ci. Pour revenir à l’état avant impersonalisation, il suffit d’utiliser la méthode </font><span style="COLOR: #33cccc">Undo</span><font color=#000000> de </font><span style="COLOR: #2b91af">WindowsImpersonationContext</span></span> </p> <img width="0" height="0" src="http://www.vsdotnet.ch/aggbug.ashx?id=3ff718c3-218f-4ea4-851d-5ce30c53986c" /> http://www.vsdotnet.ch/CommentView,guid,3ff718c3-218f-4ea4-851d-5ce30c53986c.aspx Securité