FxCop Custom Rule for checking impersonation with integrated secuirity
-
miércoles, 09 de mayo de 2012 5:43
Hi,
I wanted to write FxCop Custom rule which will check following things.
1. Do not use impersonation with integrated secuirity to authenticate each application user to SQL server.
Is there any way i can achieve this through FxCop?
Thanks and Regards
Sharad Birajdar
sharad
Todas las respuestas
-
miércoles, 09 de mayo de 2012 12:58
Not usually, and particularly not unless you're hard-coding connection strings, which generally isn't exactly a fantastic idea. FxCop could potentially be useful for allowing you to detect opening of connections by invoking unapproved methods (like calling SqlConnection.Open instead of your application's designated connection opener method), but first you would need to establish a design that would make this possible.
Nicole
-
miércoles, 09 de mayo de 2012 13:29
Hi Nicole
Thanks for your help.
Do you mean to say Impersonation done through identity element done in web.config file can not be determined? For that matter any settings done in web.config for my web app will never be determined though fxcop.
Also, what about Runtime impersonation done using System.Security.Principal and WindowsIdentity?
What do you mean by "First you would need to establish a design that would make this possible" can you more elaborate on this part.
Thanks again
Sharad
sharad
-
miércoles, 09 de mayo de 2012 18:23
No, I mean that, even if you are impersonating in ASP.NET, you might not be impersonating when you connect to SQL Server if you are using SQL Server authentication instead of Windows authentication.
Nicole
- Marcado como respuesta Sharad Birajdar jueves, 10 de mayo de 2012 4:09
-
viernes, 11 de mayo de 2012 4:27Thanks Nicole. But if there is an instance of impersonation in within the code, as Sharad mentioned (using WindowsIdentity), will it be possible to check that through FxCop?
Thanks
