开发者

ASP.NET authentication question

开发者 https://www.devze.com 2023-03-11 01:05 出处:网络
I have following code in an aspx page: protected void Page_Load(object sender, EventArgs e) { if (User.Identity.IsAuthenticated)

I have following code in an aspx page:

   protected void Page_Load(object sender, EventArgs e)
    {
        if (User.Identity.IsAuthenticated)
            lblAuthentication.Text = 
            "Authenticated user: " + User.Identity.Name;
        else
            lblAuthentication.Text = 
            "User not authenticated. Anonymous access ";

        lblWindowsIdentity.Text = 
            "Windows identity: " + WindowsIdentity.GetCurrent().Name;

    }   // Page_Load()

web.config settings are as follows:

    <authentication mode="Windows" />

    <authorization>
        <allow users="*" />
    </authorization>

When logged in as Bob who is Administrator I get following output

Authenticated user: Bob-PC\Bob
Windows identity: Bob-PC\Bob

Additional code shows me:

    Administrator: True 
    User: True 
    Guest: False 
    PowerUser: False 
    AccountOperato开发者_如何学运维r: False 
    SystemOperator: False 

Then I switch user (Windows Vista), log in as Guest, browse to the same website and I get the same output???

Authenticated user: Bob-PC\Bob
Windows identity: Bob-PC\Bob

    Administrator: True 
    User: True 
    Guest: False 
    PowerUser: False 
    AccountOperator: False 
    SystemOperator: False 

Why do I get the same output for different users?


WindowsIdentity.GetCurrent().Name is he identity under which the IIS thread is running.


Because the website is operating under the context of Bob-PC\Bob rather than the user you are logged in as. The calls you are making are looking at the website process (not what is going on outside the website[rest of windows]).

If you are using IIS you can change the identity that the worker process runs under by modifying the properties of the application pool that hosts the website....

NOTE: you can use impersonation in .net to force IIS to operate under the context of the browsing user. And this is the way that you would secure an app running on a LAN for example with a windows network running. But in order for this to work you have to use IE as other browsers dont pass the domain authentication credentials).

0

精彩评论

暂无评论...
验证码 换一张
取 消