在访问一个ASP.NET的站点时, 发现页面报出如下图的错误:

看情形是web.config有问题, 于是就打开IIS下的站点根目录(Home Directory)下的web.config文件照着提示修改. 改后发现竟然没有任何效果.

再仔细看看发现问题了, Server Error in '/_layouts' Application, 而不是平时见到的Server Error in '/' Application哦. 其实应该修改的是_layouts虚拟目录(Virtual Directory)下的web.config.

采用问答式, 快餐式获取要点.

如何查看当前线程正在什么用户权限上运行?

====================================

string currentUser = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

如何在ASP.NET应用程序中, 使用过了IIS验证的用户的权限来执行每一次请求?

====================================

在web.config文件中, 做如下修改:

<identity impersonate="true" />

如何在ASP.NET应用程序中指定一个用户, 然后让所有的请求都按照这个用户的权限来执行?

====================================

在web.config文件中, 做如下修改:

<identity impersonate="true" userName="accountname" password="password" />

如何在代码中进行impersonate?

====================================

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
    ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

//Insert your code that runs under the security context of the authenticating user here.

impersonationContext.Undo();

一个具体的例子, 可以用在aspx中, 当然了用在cs中可以的.

public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;

WindowsImpersonationContext impersonationContext;

[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
    String lpszDomain,
    String lpszPassword,
    int dwLogonType,
    int dwLogonProvider,
    ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
    int impersonationLevel,
    ref IntPtr hNewToken);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);

public void Page_Load(Object s, EventArgs e)
{
    if (impersonateValidUser("username", "domain", "password"))
    {
        //Insert your code that runs under the security context of a specific user here.
        undoImpersonation();
    }
    else
    {
        //Your impersonation failed. Therefore, include a fail-safe mechanism here.
    }
}

private bool impersonateValidUser(String userName, String domain, String password)
{
    WindowsIdentity tempWindowsIdentity;
    IntPtr token = IntPtr.Zero;
    IntPtr tokenDuplicate = IntPtr.Zero;

    if (RevertToSelf())
    {
        if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
            LOGON32_PROVIDER_DEFAULT, ref token) != 0)
        {
            if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
            {
                tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                impersonationContext = tempWindowsIdentity.Impersonate();
                if (impersonationContext != null)
                {
                    CloseHandle(token);
                    CloseHandle(tokenDuplicate);
                    return true;
                }
            }
        }
    }
    if (token != IntPtr.Zero)
        CloseHandle(token);
    if (tokenDuplicate != IntPtr.Zero)
        CloseHandle(tokenDuplicate);
    return false;
}

private void undoImpersonation()
{
    impersonationContext.Undo();
}

资料来源:

How to implement impersonation in an ASP.NET application

http://support.microsoft.com/kb/306158

方法: SPSecurity.RunWithElevatedPrivileges

命名空间: Microsoft.SharePoint
程序集: Microsoft.SharePoint (in microsoft.sharepoint.dll)

使用方法:

SPSecurity.RunWithElevatedPrivileges(delegate()
{
    using (SPSite site = new SPSite(web.Site.ID))
    {
        // implementation details omitted
    }
});

注意:

你必须在delegate的内部创建新的SPSite对象, 因为外面创建的SPSite对象即使你在delegate内部引用, 它还是没有完全控制的权限的. 使用using关键字来保证SPSite对象在delegate内部被析构掉.

另外, 该方法的行为是将当前账户提升为IIS的application pool的账户, 即web应用程序的管理员账户, 从而获得完全控制权限的.

原文出处有更详细的例子.

补充

=======

这个方法与ASP.NET的impersonate有什么不同呢?

嗯, 后者要么要动web.config, 要么就需要在代码中hard code下来你要使用的用户名和密码. 相对于SharePoint Object Model提供的这个方法来说, 缺点还是比较明显的. 所以在SharePoint中, 要用还是用OM的吧.

摘自:

http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges.aspx

This page is specific to The 2007 product release

这篇文章将的很好, 列在这里备忘.

Troubleshooting common permissions and security-related issues in ASP.NET

http://support.microsoft.com/kb/910449

排查分析问题时经常需要用到这样白痴级页面, 呵呵. 以后如有需要, 再逐步改进.

最简单的HTML

===============

代码段

<html>
<body bgcolor="yellow">
    <center>
        <h2>
            Hello W3Schools!</h2>
    </center>
</body>
</html>

最简单的ASPX

===============

代码段

<%@ Page Language="VB" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script runat="server">
    Sub Page_Load()
        link1.HRef = "http://www.w3schools.com"
    End Sub
</script>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body bgcolor="yellow">
    <form id="form1" runat="server">
    <div>
        <center>
            <h2>Hello W3Schools!</h2>
            <p><%Response.Write(now())%></p>
            <a id="link1" runat="server">Visit W3Schools!</a>
        </center>
    </div>
    </form>
</body>
</html>

最简单的ASP

===============

处于完整性考虑, 也列在这里, 以防万一有需要.

<html>
<body bgcolor="yellow">
    <center>
        <h2>
            Hello W3Schools!</h2>
        <p>
            <%Response.Write(Now())%></p>
    </center>
</body>
</html>

附: ASP相对于ASPX的局限性是: 代码必须放置在你想要你的代码产生输出的地方. 所以, 经典的ASP不可能把可执行代码从HTML中抽取出来. 这使得代码非常难以阅读, 难以维护.

资料来源:

http://www.w3schools.com/aspnet/aspnet_controls.asp

SharePoint Portal Header

==========================

Extreme SharePoint Design: Dynamic Style Sheets

http://sharingpoint.blogspot.com/2006/02/extreme-sharepoint-design-dynamic.html

说明: 该文给出了一个为SharePoint写的portal header.

SharePoint dynamic link libraries

===========================

admin.dll

Administrative operations such as creating and deleting subwebs, and managing users through the FrontPage permissions dialog box.

Path: http://www.server.com/subweb/_vti_bin/_vti_adm/admin.dll

author.dll

Authoring operations, such as uploading files, applying themes, renaming and deleting documents, and so forth.

Path: http://www.server.com/subweb/_vti_bin/_vti_aut/author.dll

owssvr.dll

SharePoint Team Services functionality, such as list creation, deletion, and authoring, as well as the HTML page-rendering system.

Path: http://www.server.com/subweb/_vti_bin/owssvr.dll

shtml.dll

Perform the FrontPage Server Extensions browse-time functionality, such as saving the results of HTML form submissions to a document in the user's team Web site.

Path: http://www.server.com/subweb/_vti_bin/shtml.dll/_vti_rpc

Windows SharePoint Services RPC Protocol

==========================

URL Protocol

http://msdn.microsoft.com/en-us/library/ms478653.aspx

该文列出了可以通过Http Get请求执行的RPC methods. 即, CAML与RPC结合起来, 对WFE服务器发出请求, 去执行那些不修改数据库内容的RPC协议的方法.

Windows SharePoint Services RPC Methods

http://msdn.microsoft.com/en-us/library/ms480784.aspx 

该文列出了所有的WSS的RPC方法.

[WSS]Use RPC protocol to access WSS v3 site

http://blogs.msdn.com/stcheng/archive/2008/12/17/wss-use-rpc-protocol-to-access-wss-v3-site.aspx

该博文较详细地讲解了WSS RPC的使用和一些技巧.