Can I use a attribute to make .net impersonate another user?

Question

I am familiar with impersonating an account in .net by using:

dim myIdentity as WindowsIdentity = someIdentity  
using ctx as WindowsImpersonationContext = myIdentity.Impersonate()  
    doStuff()  
end using

Is it possible to define a .net attribute so that I could write something like:

< runAsUser(someIdentity) > public sub doStuff()

and then have the .net framework always impersonate when running the method doStuff()?

Update Okay, I'm told that this may be impossible because arguments to an attribute constructor must be constants which would rule out passing in the user's identity.

Let me ask the question a little bit differently: Suppose there were a function getUserWindowsIdentity() that returns an identity associated with the logged in user.

Could I then use < runAsLoggedInUser) > public sub doStuff() > to make the framework always impersonate the user id returned by getUserWindowsIdentity when running the doStuff() method?

Answer 1

No, such magic does not exist in the .NET framework. You'd have to write the code yourself, using Reflection to read the attribute. That code will look a lot like the code you already have, just slower and with the code to read the attribute added.

Answer 2

I'm fairly certain this can't be done. You might be able to simulate it with PostSharp (or similar.)

Parameters passed to Attribute constructors must be constants, meaning they can't be reference types at all. I would question the use case where a code block should always run under the same hard-coded credentials, as well.

Answer 3

I'm not expert, so I'll concede to the other answerers that you can't do this the way you've suggested, but you might be able to write code that looks the way you want it to and as fast as the code you've been using.

If you write in a preprocessor directive to replace the attribute tag with a using block, you'd pretty much get the best of both worlds. This could probably be achieved with a script that runs over your source code, as well.

Answer 4

If you control either: a) the code that invokes the doStuff() method or b) the means by which the caller of doStuff() gets a reference to the object / class on which doStuff() is implemented, then you can accomplish what you're looking for. Item b) is preferred.

If that's possible, look into dynamic proxies - http://www.castleproject.org/dynamicproxy/index.html. Instead of returning an actual instance of the object / class in question, return a proxy for the instance. When the caller invokes the method, the proxy sees it first. In the proxy's implementation, look for your attribute on the method that's being called and, if found, initiate the impersonation.

Donnie

Answer 5

As others have answered, you can create an Attribute that will do "work", but what has not been explicitly stated is that there are no custom attributes that you can create that the run-time or framework components will execute on your behalf. So you can create an attribute such as:

public class RunAsUserAttribute : Attribute
{
    // implement some attribute functionality here
}

and you could then use that attribute on a method or class:

[RunAsUser]
public void DoStuff()
{
    // do some stuff as the impersonated user
} 

what component is going to invoke the functionality in the RunAsUserAttribute class? You could put this kind of functionality in a dynamic proxy as suggested by soccerdad. This is one way to solve the problem.

Cheers.