Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I detect if my code should Impersonate or not?

Tags:

tridion

I have code that runs as part of an event handler and need to create a new TOM.NET session (I can't reuse subject.Session). This event handler is loaded into many Tridion processes (TcmServiceHost, COM+, Publisher, TcmTemplateDebugHost, IIS Application Pool) and these processes may:

  • run under an identity that has access to Tridion (e.g. the COM+ application runs under MTSUser, which is a Tridion administrator)
  • run under an identity that doesn't have access to Tridion, but is allowed to impersonate Tridion users (e.g. TcmServiceHost runs as NetworkService, which is configured as a Tridion Impersonation User).

I try to cater for both cases with this TOM.NET code:

Session session = null;
try
{
    session = new Session();
}
catch (AccessDeniedException ex)
{
    // this process doesn't have TCM access, so impersonate a user that does
    session = new Session("Administator");
}
if (session != null)
{
    var item = session.GetObject(id);
    ...

Is this the right way to check whether my code is running under a process that has access to Tridion (ignoring the fact that I hard-coded "Administrator")? The code works, but I just wonder if there is a more efficient way to perform a "has access to Tridion" check?

Note: the same question arises when I use the Core Service to access Tridion, so the question is not whether the TOM.NET is the right API to use here.

like image 982
Frank van Puffelen Avatar asked May 01 '12 16:05

Frank van Puffelen


People also ask

How do I know if impersonation is working C#?

Just examine the ImpersonationLevel property of the WindowsIdentity class. Identification - The server process can obtain information about the client... Impersonation - The server process can impersonate the client's security context on its local system.

What is selected to impersonate users?

To impersonate another user, the impersonator selects the Impersonate icon on the far right of the Tab Bar and selects the user from the Impersonate drop-down list. To stop impersonating a user, the impersonator clicks the Impersonate icon and selects Stop Impersonate from the Impersonate drop-down list.

What is .NET impersonation?

Impersonation is the process of executing code in the context of another user identity. By default, all ASP.NET code is executed using a fixed machine-specific account. To execute code using another identity we can use the built-in impersonation capabilities of ASP.NET.


2 Answers

I would not use this code. Exception catching is slow and you are currently giving (Administrator) access to anyone who cannot access the system - which is a big security hole to have.

Instead, I would look at who the current user is and figure out if he is an impersonation user or not. You could read the impersonation users from the Tridion.ContentManager.config file directly, if there isn't an API for it (I haven't checked).

var isImpersonationUser = IsImpersonationUser(WindowsIdentity.GetCurrent());
var session = isImpersonationUser ? new Session("Administrator") : new Session();
var item = session.GetObject(id);

Or you would have it be configurable separately for your event code. Or even hard-coded, if you don't care about the code being generic.

like image 61
Peter Kjaer Avatar answered Oct 29 '22 14:10

Peter Kjaer


This code seems pretty efficient to me - but by checking if you can create the session object will by no means guarantee that the code will be able to perform the action you want to actually carry out in the CMS.

It also seems like such code is creating a large security vulnerability allowing processes to fallback to a higher level of security when they don't have permissions. Also keep in mind that if you are modifying any items in the CMS, that impersonation will have the result of not showing the real name of the individual which may have triggered the change. It will be stored as the user you are impersonating.

like image 39
Chris Summers Avatar answered Oct 29 '22 13:10

Chris Summers