Client Impersonation from Web Service?

What are the advantages and disadvantages of impersonating a client from a web servi开发者_C百科ce? and one of its advantages being auditing, how is auditing better using impersonation than passing identity objects from application to web service?

The purpose of impersonation is to extend the access of a service to resources that might be off-limits. It does this by taking the rights of the requester into consideration. Impersonation enables the service to assume the security context of the requester when it must determine whether access to a particular resource is to be allowed.

The simplest way to implement impersonation is declaratively on the service’s methods. The OperationBehavior attribute includes a property called Impersonation. This property can be set to Required or Allowed.

 [OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public bool Update()
{
return true;
}

If the Impersonation property is set to Allowed, the client credentials can flow to the service. If Impersonation is set to Required, the service must assume the client’s credentials.

There are times when not all of a method might require impersonation. Perhaps impersonation is required only when a file is being accessed, for example. To allow for this, it is possible to implement impersonation imperatively by using the WindowsImpersonationContext class.

To start, you must retrieve the Windows identity associated with the current request. This is available through the ServiceSecurityContext.Current object. If the WindowsIdentity property is not null (remembering that a Windows identity is required for impersonation), you can invoke the Impersonate method on the identity. The following code demonstrates this technique:

 WindowsIdentity callerIdentity =
    ServiceSecurityContext.Current.WindowsIdentity;
    if (callerIdentity == null)
    throw new InvalidOperationException(
    "The caller cannot be mapped to a WindowsIdentity");
    using (WindowsImpersonationContext context = callerIdentity.Impersonate())
    {
        // Access a file as the caller.
    }

The two impersonation techniques demonstrated so far operate on a method-by-method basis. It is also possible to enable impersonation for all methods in a service. You do this by setting the ImpersonateCallerForAllOperations property on the ServiceAuthorization behavior to true. You can do this as shown in the following code sample:

ServiceHost serviceHost = new ServiceHost(typeof(TestService));
ServiceAuthorizationBehavior behavior =
serviceHost.Description.Behaviors.Find<ServiceAuthorizationBehavior>();
behavior.ImpersonateCallerForAllOperations = true;