Setting Principal for HttpWorkerRequest

[Norman Rasmussen]

re: http://www.dotnet247.com/247reference/msgs/31/159270.aspx
(neither my news server, nor microsoft's seems to still carry this thread)

I am trying to add User Authentication to Cassini.

More specifically I am using Cassini as a web-server back end to a GUI
application (with a web browser control navigating the cassini web server)
and I want User.Identity to be set to the same login details as the User
running the GUI application hosting Cassini.

At the moment I have added the following lines to the web application's
global.asax.vb:
if (!User.Identity.IsAuthenticated) {
IIdentity id = new GenericIdentity(Environment.UserDomainName + @"\" +
Environment.UserName);
IPrincipal ip = new GenericPrincipal(id, new string[0]);
Context.User = ip;
}

This at least simulates the user being logged in.

I would prefer to add it to Cassini instead, because then I can host
exisiting web applications with-no-change. (This includes adding an
HTTPModule in the web.config)

I tried settings the CurrentThread.Identity in Host.Configure in Cassini,
but with no effect. Request.Process has the same problem I seem to
remember.

How is it possible to set the Context.User from the hosting thread in
Cassini?

Norman Rasmussen

open box software
T +27 21 701 7884 | M +27 (0) 83 418 9799
E (e-mail address removed) | W www.openboxsoftware.com

 

[Norman Rasmussen]

I have slightly more luck in getting Cassini to act as if the user logged-in
via a web server. Because I am only intrested in Cassini running as a local
host for the application, I am happy to assume the user running the GUI
application (and therefore Cassini) is the user I am authenticating as.

Bascially I set the PrinciplePolicy to use the current login and its
associated groups as the user identity & its roles. Then I return the
required information to the WindowsAuthenticationModule to make it get the
user token and use it for the current context.

If you wanted to create a fully fledged authentication module for Cassini
then you would not change the priciple policy, and you would have to use
LogonUser to create a new token and then store it instead of using the
current thread's identity. (as described in the WindowsIdentity.Impersonate
example code)

Note: that in the web.config file:
<!-- Most user accounts are not granted the right to impersonate by the
Security Policy (either local or domain) -->
<identity impersonate="false"/>
<!-- FileAuthorization via FileSecurityDescriptorWrapper uses IIS to check
if the file can be accessed and therefore can't be used with Cassini-->
<httpModules><remove name="FileAuthorization"/></httpModules>

So, added details are as follows:

Host.cs, Line 72:
Thread.GetDomain().SetPrincipalPolicy(System.Security.Principal.PrincipalPol
icy.WindowsPrincipal);

Request.cs, Line 20:
using System.Security.Principal;

Request.cs, Line Line 67:
private IIdentity _identity;

Request.cs, Line 127:
_identity = Thread.CurrentPrincipal.Identity;

Request.cs, Line 525:
case "LOGON_USER":
s = _identity.Name;
break;
case "AUTH_TYPE":
s = _identity.AuthenticationType;
break;

Request.cs, Line 730:
public override System.IntPtr GetUserToken() {
if (_identity.GetType() == typeof(WindowsIdentity))
return ((WindowsIdentity)_identity).Token;
else
return IntPtr.Zero;
}

Norman Rasmussen

open box software
T +27 21 701 7884 | M +27 (0) 83 418 9799
E (e-mail address removed) | W www.openboxsoftware.com