1

i have a winforms app in C# that needs access control for certain forms. That means, the application is running under the same (default) user at system startup, but certain forms need to be secured, so that only certain windows users could have access to the additional functions after identifying themself with username and password. For that step windows authentication should be used.

Now the tricky part. Although the application was started under a "normal" user I would like the superusers to "login" into the special form without restarting the entiere application.

My question now is. Is this possible (i.e. create one thread with the credentials of an administrator). Or do I need to setup another appdomain for that?

Please give me a hint wather the user of a running application could be changed somehow.

Thank you.

EDIT

I replaced administrators by "certain users" since the privileged user could be just another ordinary user that is granted access to the special functionality by the configuration of the installation.

schoetbi
  • 12,009
  • 10
  • 54
  • 72

3 Answers3

1

You have to put those forms or functionality which requires elevated permissions into a new AppDomain which is started with elevated permissions. You can create the domain once, when required and keep it around. Into this new AppDomain, you will load the necessary code modules which will contain the processes you need to run. You'll have to pass any necessary state or configuration across the AppDomain boundary since it's essentially a different process within your current process. The nice thing is that you can keep the AppDomain around after a while. It's not like a thread that runs and goes away when its done, so you can use it on-demand later for additional tasks. The magic is in how you pass the credentials or evidence to the new AppDomain (or process).

Eric Falsken
  • 4,796
  • 3
  • 28
  • 46
  • As far as communication, doesn't the AppDomain communicate with the host process already through remoting? Or at least this was the case with .net 2.0. The question is, what ways are available to pass some data in..? – dexter Jan 12 '11 at 19:59
  • True. It's all in the same process, but is isolated from the parent AppDomain. So the same limitations passing across different Processes applies for passing data between AppDomains. Luckily there are more choices now: .NET 3.5 added named pipes and 4.0 now supports Memory-Mapped files. – Eric Falsken Feb 01 '11 at 18:38
  • A typical scenario is like the Windows Task Manager (under Vista) when you click "show all tasks" it actually restarts itself in a new process using the Administrator-ish credentials/evidence, then terminates the non-administrator application. – Eric Falsken Feb 01 '11 at 18:40
0

Just to make sure, you essentially want to elevate your process to Administrator rights only when actions that require said rights are performed?

If that's the case, it seems like it's not possible. See here.

One way of doing what you want is to use console arguments in your main assembly for each action you need to do. For example, for changing a system setting, you could Process.Start your main assembly with the argument "-change {...}", and have that run under Administrator rights, while keeping your currently running process under the current user's privileges.

Community
  • 1
  • 1
0

I just found an article about "impersonation". At the moment I have not tested it but according to this article it should work that a method call can be executed under another user. Maybe this is of some help to someone.

schoetbi
  • 12,009
  • 10
  • 54
  • 72