DavidThi808

Hi;

Note: While our specific use is ASP.NET, this is a general "reading a file" question.

Our ASP.NET application allows a user to give it an XML filename and the app then opens that file as a datasource to generate a report. The issue we face is we do not want the file opened using the credentials of the user that our ASP.NET app is running under for two reasons:

  1. The ASP.NET user may not have access to \\hr\payroll\salaries.xml but the person requesting the report does.
  2. The ASP.NET does have access to Web.Config but the person requesting the report does not.

Our app supports both forms and WindowsIdentity as an authtication/authorization method. So we do not have the client identity to use if they are using the forms system.

For http(s) and ftp this is a piece of cake - we create a NetworkCredential and pass that to the Resolver for XmlDocument when doing it's load. Problem solved there.

But how do we handle files that are local to the server, on a network drive on the server, or on a \\server\share accessable from the server And in all of those cases, the username/password to access the file could be a domain user or could be a user that exists only on the local machine - and that machine is remote from the ASP.NET server. Or it could be a user on another domain and that domain does not have a trust relationship with the domain our app is running on. Or the file could be available to "Everyone" which means with no credentials it can be read.

And with the way our system is structured, whatever file/credentials are setup, there will be multiple simultaneous requests to access the same data using the same credentials. So we cannot use the NetUseAdd call because it will fail if a connaction to that \\server\share already exists.

We can handle the case where it is a domain user on our domain used to access the file using impersonation. But the other cases appear to have no solution.

Help!!!!!

thanks - dave




Re: .NET Base Class Library Accessing a password protected file.

Peter Ritchie

You'll either have to grant wholesale access to that share/directory to the ASP.NET credential or impersonate another user based on the web application's logged-in user during access of the file. Shawn Farkas has a series of blog entries around impersonation with WindowsIdentity.Impersonate in .NET 2.0:

http://blogs.msdn.com/shawnfa/archive/2005/03/21/400088.aspx
http://blogs.msdn.com/shawnfa/archive/2005/03/22/400749.aspx
http://blogs.msdn.com/shawnfa/archive/2005/03/24/401905.aspx




Re: .NET Base Class Library Accessing a password protected file.

DavidThi808

Hi;

If access is allowed for users on the same domain that works great - I have that. But what about:

  1. Access is limited to a local user on that server
  2. It is on another domain and access is limited to users of that domain (and there is no trust relationship between domains)
  3. It's on a linux/solaris/AS-400 share and you need a uname/pw for that system.
  4. It is on a non-domain server and the share is available to "everyone." (This seems like an easy one except we do not want to impersonate as that will also allow access to files of the impersnated user and we may not want that.)

- thanks - dave






Re: .NET Base Class Library Accessing a password protected file.

Peter Ritchie

 DavidThi808 wrote:

Hi;

If access is allowed for users on the same domain that works great - I have that. But what about:

  1. Access is limited to a local user on that server
  2. It is on another domain and access is limited to users of that domain (and there is no trust relationship between domains)
  3. It's on a linux/solaris/AS-400 share and you need a uname/pw for that system.
  4. It is on a non-domain server and the share is available to "everyone." (This seems like an easy one except we do not want to impersonate as that will also allow access to files of the impersnated user and we may not want that.)

- thanks - dave

Ahh, okay.  I was assuming at least one local/domain user would have access to the "share".   Impersonation should work for point 1.  The other 3, you might be out of luck, without creating at least one drive with something like NetUseAdd.  One thing to try is use URI format when accessing the share (file://servername/sharename/directoryname/filename.ext) and try using WebRequest, the use the WebRequest.Credentials... e.g.:

    // Create a request for the URL.       

    WebRequest request = WebRequest.Create("file://servername/sharename/directoryname/filename.ext");

    // If required by the server, set the credentials.

    request.Credentials = new NetworkCredentials("username", "p@ssw0rd");

    // Get the response.

    WebResponse response = request.GetResponse();

    // Get the stream containing content returned by the server.

    Stream dataStream = response.GetResponseStream();

    // Open the stream using a StreamReader for easy access.

    StreamReader reader = new StreamReader(dataStream);

    // Read the content.

    string responseFromServer = reader.ReadToEnd();


I've never tried that; and, to be quite honest, would be very surprised if it does what you want.  It's worth a try though.




Re: .NET Base Class Library Accessing a password protected file.

DavidThi808

Hi;

It looks like LoginUser using LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT does work for case (1) - thank you.

For the others, it may be it cannot be done as NetUseAdd has lots of problems in this case (can't call same share twice, what if you delete an existing share that was already open). It's frustrating because the network can obviously do it using NetUseAdd but it's not exposed in a useable API.

For the file://filename I was told by MS support that that is the same filename so that doesn't buy us anything.

thanks - dave






Re: .NET Base Class Library Accessing a password protected file.

Peter Ritchie

DavidThi808 wrote:

Hi;

It looks like LoginUser using LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT does work for case (1) - thank you.

For the others, it may be it cannot be done as NetUseAdd has lots of problems in this case (can't call same share twice, what if you delete an existing share that was already open). It's frustrating because the network can obviously do it using NetUseAdd but it's not exposed in a useable API.

For the file://filename I was told by MS support that that is the same filename so that doesn't buy us anything.

thanks - dave

When you use NetUseAdd, do you specify a drive letter If you do, have you tried not using a drive letter (i.e. ui1_local = NULL, or ui2_local = NULL) NetUseAdd is documented as authenticating the client with the server for future connections.




Re: .NET Base Class Library Accessing a password protected file.

DavidThi808

Hi;

The problem with NetUseAdd is two-fold:

  1. Even if we don't use a drive letter, NetUseAdd will fail if there is already a connection to that share. So if thread (ASP.NET session) A has a connection and thread B goes to make one - it will fail.
  2. If another thread has made the connection and we use that - that other thread can delete the connection in our mid-use.

thanks - dave






Re: .NET Base Class Library Accessing a password protected file.

Peter Ritchie

I can't think of anything else to try.

If NetUseAdd fails you can continue with a connection to the server (you might be able to use NetUseGetInfo to find out if a connection is made already). If the connection fails you can simply retry the NetUseAdd..

Other than that, I can't think of anything that does what you want, unless you can some how get an ftp connection to some of these other servers...