Web Parts, Impersonate and Security Policy, Part 1

Web Parts, Impersonate and Security Policy

Part 1


Written by: Rickie Lee (rickieleemail at yahoo.com)

在开发某些Web Parts的时候,需要访问一些对象或数据。因为SPS进行严格的安全访问控制,有些用户授权实现这些操作,但是其他用户则没有授权,同时也不可能授予这些权限给所有人。





protected static WindowsIdentity CreateIdentity(string User, string Domain, string Password)


          // The Windows NT user token.

          IntPtr tokenHandle = new IntPtr(0);

          const int LOGON32_PROVIDER_DEFAULT = 0;

          const int LOGON32_LOGON_NETWORK = 3;


          // Initialize token object

          tokenHandle = IntPtr.Zero;

          // Call LogonUser to obtain a handle to an access token.

          bool returnValue = LogonUser(User, Domain, Password,


                    ref tokenHandle);


          // Check for failure

          if (false == returnValue)


                    int ret = Marshal.GetLastWin32Error();

                    throw new Exception("LogonUser failed with error code: " + ret);



          System.Diagnostics.Debug.WriteLine("Created user token: " + tokenHandle);

          //The WindowsIdentity class makes a new copy of the token.

          //It also handles calling CloseHandle for the copy.

          WindowsIdentity id = new WindowsIdentity(tokenHandle);


          return id;



[DllImport("advapi32.dll", SetLastError=true)]

private static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,

          int dwLogonType, int dwLogonProvider, ref IntPtr phToken);


[DllImport("kernel32.dll", CharSet=CharSet.Auto)]

private extern static bool CloseHandle(IntPtr handle);


Web Parts调用示例代码:

// Assign new account information

string strUID = "Rickie";

string strPassword = "rickieleemail at yahoo.com";

string strDomain = "Your_Domain_Name";


// Change the context

WindowsIdentity objIdentity = CreateIdentity(strUID, strDomain, strPassword);

objContext = objIdentity.Impersonate();

// Perform actions that require higher permission level


// Tear down context



首先调用CreateIdentity()方法,创建System.Security.Principal.WindowsIdentity实例对象,该account具有合适的访问权限。然后调用WindowsIdentity对象的Impersonate()方法,开始扮演(impersonate)新的windows identity,执行需要特权的方法或资源。完成上述操作后,停止impersonate并返回到用户原来的身份(account)。






