Linking legacy code to your SharePoint application can pose several issues. One of these issues is how to run the code as the correct user. When threads enter your business logic through IIS and SharePoint they already impersonate the user connecting to the Web Application. Threads in the SPTimerService run as the timer service process user. Threads in your custom SPWindowService run as the service process user that you have specified. Getting your thread to assume the right WindowsIdentity can be a challenge.
WindowsIdentity.Impersonate should not be used as a method to access SPSite objects in pure non-legacy SharePoint applications. That should be done by passing an SPUserToken object into the SPSite constructor. Still legacy code may require the change in WindowsIdentity and glue code may access the SPSite object to communicate data back into SharePoint. There are two steps to accomplishing this.
First convert the SPUser to a WindowsIdentity. To accomplish this, create the user principal name (UPN) for the user. Then instantiate a new WindowsIdentity using the UPN.
private static string GetUpn(SPUser spUser)
{
string[] tmp = spUser.LoginName.Split('\\');
System.DirectoryServices.ActiveDirectory.Domain domain =
System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
return tmp[1] + "@" + domain.Name;
}
.
.
.
SPUser spUser = GetMySPUser();
WindowsIdentity spUserIdentity = new WindowsIdentity(GetUpn(spUser));
Restrictions: This approach will only work when the user is actually a member of the Domain.GetCurrentDomain. Otherwise you need to search for the domain name through the active directory service. Also this approach will only work if the process user has the local security policy “Act As Part of the Operating System” = “true”. By default the NT Authority\Network Service user has this privilege. Additionally the WindowsIdentity instantiation is also restricted to the Server 2003 or Sever 2008 operating systems, but so is SharePoint.
Next perform the impersonation.
WindowsImpersonationContext context = spUserIdentity.Impersonate();
try {
MyLegacyData data = ExecuteLegacyLogic();
using (SPSite site = new SPSite(mySiteId))
{
using (SPWeb web = site.OpenWeb(myWeb)
{
AddLegacyDataResults( web, data );
}
}
}
finally
{
context.Undo();
}
Notes: In the above block the SPSite object access is the same as if were performed using new SPSite(mySiteId, spUser.UserToken).
Restrictions: Never run this code block inside a SPSecurity.RunWithElevatedPrivileges delegate. This appears to be unsupported by SharePoint. The resulting SPSite and SPWeb objects will be unusable. In this condition, a StackOverflowExcetion will be thrown if you attempt to access an SPUser in the SPWeb.Users collection and will bring down the entire process.
Outside of the above restriction, the code appears to work as expected.
No comments:
Post a Comment