This project is read-only.

Know the impersonation options

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

Impersonation is used to restrict or authorize original caller’s access to a WCF service’s local resources, like files etc. There are three options for impersonation namely,
  • Impersonating the original caller declaratively on specific operations.
  • Impersonating the original caller declaratively on the entire service.
  • Impersonating the original caller programmatically within an operation.

Impersonating the original caller declaratively on specific operations
Use this option when you want to impersonate the original caller for entire duration of specific operation. Impersonation is costly operation and also usually is used for higher privileged original callers, hence using impersonation selectively only on the operations which needs it reduces the potential attack surface. You can impersonate declaratively by applying the OperationBehaviorAttribute attribute on any operation that requires client impersonation, as shown in the following code example.
[*OperationBehavior*(Impersonation = ImpersonationOption.*Required*)]
public string GetData(int value)
{
   return “test”;
}

Impersonating the original caller declaratively on the entire service
Use this option when you want to impersonate the original caller for entire duration of all the operations. Impersonation is costly operation and also usually is used for higher privileged original callers, hence you need to be careful when opting for this, as it potentially increases the attack surface. For impersonating the entire service set the impersonateCallerForAllOperations attribute to "true" in the WCF configuration file, as shown in the following example.
...
<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <serviceAuthorization *impersonateCallerForAllOperations="true"* />
    </behavior>
  </serviceBehaviors>
</behaviors>
...

When impersonating for all operations, the Impersonation property of the OperationBehaviorAttribute applied to each method must also be set to either Allowed or Required.

Note: - When a service has higher credentials than the remote client, the credentials of the service are used if the Impersonation property is set to Allowed. That is, if a low-privileged user provides its credentials, a higher-privileged service executes the method with the credentials of the service, and can use resources that the low-privileged user would otherwise not be able to use.

Impersonating the original caller programmatically within an operation.
Use this option when you want to impersonate the original caller for a small duration in a service operation. Impersonation is costly operation and also usually is used for higher privileged original callers, hence using impersonation only when its needed reduces the potential attack surface. Programmatic impersonation can be performed as shown in the following example.
public string GetData(int value)
{	
 using (*ServiceSecurityContext*.Current.WindowsIdentity.*Impersonate*())
 {
     // return the impersonated user (original users identity)
     return string.Format("Hi, {0}, you have entered: {1}",
          WindowsIdentity.GetCurrent().Name, value);
 }   
}

Note: It is important to revert impersonation, failure to do so, can form the basis for denial of service and elevation of privilege attacks. In the above example the using statement ensures that the impersonation is reverted after execution of the using block.

Additional Resources

Last edited Apr 24, 2008 at 12:56 AM by prashantbansode, version 2

Comments

No comments yet.