Пример #1
0
        private IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn)
        {
            IDisposable disposable = null;

            try
            {
                if (isSecurityContextImpersonationOn)
                {
                    if (securityContext == null)
                    {
                        throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SFxSecurityContextPropertyMissingFromRequestMessage")), rpc.Request);
                    }
                    WindowsIdentity windowsIdentity = securityContext.WindowsIdentity;
                    if (windowsIdentity.User == null)
                    {
                        if (securityContext.PrimaryIdentity is WindowsSidIdentity)
                        {
                            WindowsSidIdentity primaryIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity;
                            if (primaryIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
                            {
                                disposable = new WindowsAnonymousIdentity().Impersonate();
                                goto Label_0103;
                            }
                            using (WindowsIdentity identity3 = new WindowsIdentity(this.GetUpnFromDownlevelName(primaryIdentity.Name), "Kerberos"))
                            {
                                disposable = identity3.Impersonate();
                                goto Label_0103;
                            }
                        }
                        throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecurityContextDoesNotAllowImpersonation", new object[] { rpc.Operation.Action })), rpc.Request);
                    }
                    disposable = windowsIdentity.Impersonate();
                }
                else if (AspNetEnvironment.Current.RequiresImpersonation && (rpc.HostingProperty != null))
                {
                    disposable = rpc.HostingProperty.Impersonate();
                }
Label_0103:
                SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.Operation);
                if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success))
                {
                    SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext));
                }
            }
            catch (Exception exception)
            {
                if (Fx.IsFatal(exception))
                {
                    throw;
                }
                SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.Operation, exception);
                if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure))
                {
                    try
                    {
                        string identityNamesFromContext;
                        if (securityContext != null)
                        {
                            identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext);
                        }
                        else
                        {
                            identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name;
                        }
                        SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, identityNamesFromContext, exception);
                    }
                    catch (Exception exception2)
                    {
                        if (Fx.IsFatal(exception2))
                        {
                            throw;
                        }
                        System.ServiceModel.DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
                    }
                }
                throw;
            }
            return(disposable);
        }
        IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn)
        {
            IDisposable impersonationContext = null;

            try
            {
                if (isSecurityContextImpersonationOn)
                {
                    if (securityContext == null)
                    {
                        throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SFxSecurityContextPropertyMissingFromRequestMessage)), rpc.Request);
                    }

                    WindowsIdentity impersonationToken = securityContext.WindowsIdentity;
                    if (impersonationToken.User != null)
                    {
                        impersonationContext = impersonationToken.Impersonate();
                    }
                    else if (securityContext.PrimaryIdentity is WindowsSidIdentity)
                    {
                        WindowsSidIdentity sidIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity;
                        if (sidIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
                        {
                            impersonationContext = new WindowsAnonymousIdentity().Impersonate();
                        }
                        else
                        {
                            string fullyQualifiedDomainName = GetUpnFromDownlevelName(sidIdentity.Name);
                            using (WindowsIdentity windowsIdentity = new WindowsIdentity(fullyQualifiedDomainName, SecurityUtils.AuthTypeKerberos))
                            {
                                impersonationContext = windowsIdentity.Impersonate();
                            }
                        }
                    }
                    else
                    {
                        throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecurityContextDoesNotAllowImpersonation, rpc.Operation.Action)), rpc.Request);
                    }
                }
                else if (AspNetEnvironment.Current.RequiresImpersonation)
                {
                    if (rpc.HostingProperty != null)
                    {
                        impersonationContext = rpc.HostingProperty.Impersonate();
                    }
                }

                SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.EventTraceActivity, rpc.Operation);

                // update the impersonation succeed audit
                if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success))
                {
                    SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation,
                                                                       this.suppressAuditFailure, rpc.Operation.Name, SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext));
                }
            }
            catch (Exception ex)
            {
                if (Fx.IsFatal(ex))
                {
                    throw;
                }
                SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.EventTraceActivity, rpc.Operation, ex);

                //
                // Update the impersonation failure audit
                // Copy SecurityAuthorizationBehavior.Audit level to here!!!
                //
                if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure))
                {
                    try
                    {
                        string primaryIdentity;
                        if (securityContext != null)
                        {
                            primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext);
                        }
                        else
                        {
                            primaryIdentity = SecurityUtils.AnonymousIdentity.Name;
                        }

                        SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation,
                                                                           this.suppressAuditFailure, rpc.Operation.Name, primaryIdentity, ex);
                    }
#pragma warning suppress 56500
                    catch (Exception auditException)
                    {
                        if (Fx.IsFatal(auditException))
                        {
                            throw;
                        }

                        DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error);
                    }
                }

                throw;
            }

            return(impersonationContext);
        }