ASP.NET authentication question
I have following code in an aspx page:
protected void Page_Load(object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated)
lblAuthentication.Text =
"Authenticated user: " + User.Identity.Name;
else
lblAuthentication.Text =
"User not authenticated. Anonymous access ";
lblWindowsIdentity.Text =
"Windows identity: " + WindowsIdentity.GetCurrent().Name;
} // Page_Load()
web.config settings are as follows:
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
When logged in as Bob who is Administrator I get following output
Authenticated user: Bob-PC\Bob
Windows identity: Bob-PC\Bob
Additional code shows me:
Administrator: True
User: True
Guest: False
PowerUser: False
AccountOperato开发者_如何学运维r: False
SystemOperator: False
Then I switch user (Windows Vista), log in as Guest, browse to the same website and I get the same output???
Authenticated user: Bob-PC\Bob
Windows identity: Bob-PC\Bob
Administrator: True
User: True
Guest: False
PowerUser: False
AccountOperator: False
SystemOperator: False
Why do I get the same output for different users?
WindowsIdentity.GetCurrent().Name is he identity under which the IIS thread is running.
Because the website is operating under the context of Bob-PC\Bob rather than the user you are logged in as. The calls you are making are looking at the website process (not what is going on outside the website[rest of windows]).
If you are using IIS you can change the identity that the worker process runs under by modifying the properties of the application pool that hosts the website....
NOTE: you can use impersonation in .net to force IIS to operate under the context of the browsing user. And this is the way that you would secure an app running on a LAN for example with a windows network running. But in order for this to work you have to use IE as other browsers dont pass the domain authentication credentials).
加载中,请稍侯......
精彩评论