tags:

views:

146

answers:

2
Q: 

A .NET custom attribute to perform impersonation?

I have some methods that need to run as a certain service account, so I do the normal thing:

public DoSomeWorkAsServiceAccount() {
    ...
    // assume I am given tokenHandle
    WindowsIdentity newId = new WindowsIdentity(tokenHandle); 
    WindowsImpersonationContext impersonatedUser = newId.Impersonate();

    ...
    // do the work here
    ...

    impersonatedUser.Undo();
}

I'd like to avoid writing this code in every method, so I was thinking of creating a custom attribute:

[Impersonate(tokenHandle)]
public DoSomeWorkAsServiceAccount() {
    // do the work
}

So here are my questions:

  1. Is this possible?
  2. Can you show me something that will avoid code duplication?

Thanks in advance.

+3  A: 

Hi there.

I've don't have any code, but you could try using PostSharp to do this. You could create an OnMethodInvocationAspect which arranges the security stuff before calling the method code. eg

public class ImpersonateAttribute : OnMethodInvocationAspect
{
  public override void OnInvocation(MethodInvocationEventArgs eventArgs)
  {
    WindowsIdentity newId = new WindowsIdentity(tokenHandle); 
    WindowsImpersonationContext impersonatedUser = newId.Impersonate();

    eventArgs.Proceed() // Call the code in the actual method.

    impersonatedUser.Undo();
  }
}

The above is a complete guess, but by suggesting it, I may have given you a valid option.

Cheers. Jas.

Jason Evans  2009-08-18 20:49:06
Thanks - I didn't realize that attributes were just data, and a framework was needed to make it "do stuff".
Jeff Meatball Yang  2009-08-18 21:58:44
+2  A: 

I don't think an attribute is the best way to implement a feature like this. For the most part attributes merely act as meta-data on types and members (Aspect Oriented stuff aside). You'd need to write something to check for that attribute, and re-route the method call accordingly. If you already have some AOP code in place this shouldn't be much of a chore, but if you don't you'd likely be much better served by something like this:

public void DoWorkAsUser(tokenHandle, Action op)
{
  WindowsIdentity newId = new WindowsIdentity(tokenHandle); 
  WindowsImpersonationContext impersonatedUser = newId.Impersonate();

  op();

  impersonatedUser.Undo();
}

And then call it like this:

DoWorAsUser(token, MyMethod);

This allows you to centralize the impersonation code without having to mess around with reflection, codeweaving, etc.

akmad  2009-08-18 20:49:35
Thanks for the answer... I wish we had AOP. And BTW, your icon is awesome.
Jeff Meatball Yang  2009-08-18 20:53:02
You're welcome! I didn't put it in the example, but make sure you wrap your 'op' call in a try finally block and dispose the WindowsIdentity and WindowsImpersonationContext objects.
akmad  2009-08-19 21:17:57

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?