1

Topic: ASP.NET Core does not implement impersonation

Educate , please, really ASP.NET Core now does not support impersonation?
And all programs which are connected through pool should use now one general login (service pool login) for connection to a DB?
the Link

2

Re: ASP.NET Core does not implement impersonation

Idol_111;
To include personification, it is possible, but  ASP.NET Core strongly do not recommend it to do. And if also included, using the personalized requests as fast as possible to close connections.
Personification on the basis of that process is rigidly anchored to IIS pipeline is removed. That is, thus  it is reduced on "is not present". From a word "absolutely".
It is assured that the personalized requests it is possible completely  in any business logic, any application.

3

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

Educate , please, really ASP.NET Core now does not support impersonation?
And all programs which are connected through pool should use now one general login (service pool login) for connection to a DB?
the Link

At the web application should be unique  for campaigns in a DB, i.e. login/password. Impersonation is necessary for the applications executable on the side of users which are connected to a DB directly. For an application server it  is deprived sense, and to drag there methods of operation from a DB from a desktop these are a natural rake. Like as  should understand it.

4

Re: ASP.NET Core does not implement impersonation

Calabonga;
Thanks for the answer.
You are right if it is a question of one application but if it API and it is used by several applications, to remove possibility of control of access rights at database level not simply silly, but also it is dangerous.

5

Re: ASP.NET Core does not implement impersonation

hVostt wrote:

it is passed...
At the web application should be unique  for campaigns in a DB, i.e. login/password. Impersonation is necessary for the applications executable on the side of users which are connected to a DB directly. For an application server it  is deprived sense, and to drag there methods of operation from a DB from a desktop these are a natural rake. Like as  should understand it.

Here I at all did not understand you. Sm my first answer. You consider what to hammer on safety at level  is to attack a rake?

6

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

Calabonga;
Thanks for the answer.
You are right if it is a question of one application but if it API and it is used by several applications, to remove possibility of control of access rights at database level not simply silly, but also it is dangerous.

Access rights application as it is on the server, instead of on  the user controls, it is absolutely normal practice, it is safe. To tell that it is silly, it to criticize 99 % of information systems.

7

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

here I at all did not understand you. Sm my first answer. You consider what to hammer on safety at level  is to attack a rake?

I do not see any problems with safety. Users have no access to a DB, accordingly it is not necessary  each user separately, at first here it is really silly, secondly very much is not floppy, thirdly, if  is engaged in that distributes powers to each user in a DB it is absolutely exact,  is engaged not in that.

8

Re: ASP.NET Core does not implement impersonation

hVostt wrote:

it is passed...
Access rights application as it is on the server, instead of on  the user controls, it is absolutely normal practice, it is safe. To tell that it is silly, it to criticize 99 % of information systems.

I too well know a reality and 99 % it not argument.
Let's present that one application should read the data from the table, and another not in which case (i.e. deny), and here it not to make any more.
I already am silent, if it is necessary to implement access on columns or lines that easily becomes at level . I Would like to look as it implement at application level.

9

Re: ASP.NET Core does not implement impersonation

hVostt wrote:

it is passed...
I do not see any problems with safety. Users have no access to a DB, accordingly it is not necessary  each user separately, at first here it is really silly, secondly very much is not floppy, thirdly, if  is engaged in that distributes powers to each user in a DB it is absolutely exact,  is engaged not in that.

from access to application, instead of users. And normally becomes once.

10

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

I too well know a reality and 99 % it not argument.
Let's present that one application should read the data from the table, and another not in which case (i.e. deny), and here it not to make any more.
I already am silent, if it is necessary to implement access on columns or lines that easily becomes at level . I Would like to look as it implement at application level.

If applications of clients have no access to a DB, but have access to API, at what here access at level ?
https://docs.microsoft.com/ru-ru/aspnet … etcore-2.1
Here , the application server implements data access)))

11

Re: ASP.NET Core does not implement impersonation

hVostt wrote:

it is passed...
If applications of clients have no access to a DB, but have access to API, at what here access at level ?
https://docs.microsoft.com/ru-ru/aspnet … etcore-2.1
Here , the application server implements data access)))

Similar we revolve.
And in your example I do not see as it through roles of applications implemented partite access (columns/lines).
I am possible I summarize, and you correct if I am not right:
1) so do everything because MelkoSoft "told". I.e. it is real  for today.
2) access control to the data is transferred far away from data source, from a level DB on level API. (That logically reduces safety, "than further subjects to supervise") worse. Probably in any cases it is defensible. Perhaps something facilitates (though to me difficult to present that).
3)  access now those who  API (system administrators or developers, depends on office)
Thanks

12

Re: ASP.NET Core does not implement impersonation

I can be somewhere , therefore I will ask again.
If you want Windows-autentifikatsiju application in a DBMS and here Core is , instead of Windows.
If it is necessary to divide the rights for applications why not to use server authentification (without AD) and to log in from different applications under different logins and to divide the rights for these logins?

13

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

but if it API

here is more detailed.
That for API to a DBMS.
There is  a client the server and .

14

Re: ASP.NET Core does not implement impersonation

Shocker. Pro wrote:

I can be somewhere , therefore I will ask again.
If you want Windows-autentifikatsiju application in a DBMS and here Core is , instead of Windows.
If it is necessary to divide the rights for applications why not to use server authentification (without AD) and to log in from different applications under different logins and to divide the rights for these logins?

Good question, in a point, here only not to me, and to our developers. They similar too solved - all are done also by us will be.
Fairly, no concept I have what for. It is simply presented with a fait accompli. And now it is necessary to live somehow with it.
In many offices so, in the beginning developers , and then consult. And to rewrite already laziness.

15

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

not to me, and to our developers

well  call them.
To you to solve there, to rewrite or not.
In  access through the depersonalized public user (site).

16

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

similar we revolve.
And in your example I do not see as it through roles of applications implemented partite access (columns/lines).

Probably because you not the developer, it is difficult to you to understand and realize, as it is possible to do such things, at application level as depending on a role, group and other security attributes of the user to resolve access to separate API, to sampling conditions, attributes of the data at creation of requests and performance of changing operations.

Idol_111 wrote:

1) so do everything because MelkoSoft "told". I.e. it is real  for today.

It generally to MS does not concern. Security management of users for application servers already  is carried out for a long time on level of applications. It already was 10 years ago so, and for  and remaining systems.
Control of the rights of users through the DB console, is a huge hole in safety, it is very difficult for accompanying, controlling and supervising. Especially it is not floppy.
Unique case when it can be really pertinent, in the presence of client applications which walk in a DB directly. There other variants also are not present, except as  safety on grants and through layer .
But even in case of client applications, do API, and adequate safety at level of application on the basis of various mechanisms (role-based, claim-based, etc.)
Here put generally never in , it is a question of a practicality and possibility to solve challenging tasks.

Idol_111 wrote:

2) access control to the data is transferred far away from data source, from a level DB on level API. (That logically reduces safety, "than further subjects to supervise") worse. Probably in any cases it is defensible. Perhaps something facilitates (though to me difficult to present that).

Very much the other way, data source and means of performance of operations for clients is API, accordingly safety should dare there. What problems with safety you see? I do not see, and not only I.
Access control of users too should be hidden behind a layer of the same safety. For example,  roles distribute the rights  within the limits of the powers. How you are going to solve it at DB level?
Access control of users is carried out also through application () how you will solve it at DB level?
Delegation of powers how to solve at DB level?
Etc., etc. it is possible to continue very long.

Idol_111 wrote:

3)  access now those who  API (system administrators or developers, depends on office)

Naturally. I can difficult present myself a situation when the chief of department asks to control the rights for the subordinates within the limits of the powers, and to it tell, it is technically impossible, as it becomes through the DB console, and for this purpose it is necessary to possess qualification.
Qualification that I can go on to tick off, whether it is possible for Vase to edit documents? Scoff?

17

Re: ASP.NET Core does not implement impersonation

Petro123 wrote:

it is passed...
Here is more detailed.
That for API to a DBMS.
There is  a client the server and .

And what difference in this case.
One or  a DB-> API (for access to these bases)-> is a lot of applications.

18

Re: ASP.NET Core does not implement impersonation

hVostt;
Well to write down me in pure administrators I did not become smile, I managed on a Fortran .
1) 2) 3) you obviously confuse  for the ultimate user and for the program. Everything that you described are for the ultimate user, and out of doubt it should be made at program level, here no doubt.
Once again I will describe that me disturbs as :
A little programs address to API and then being depersonalized under ONE login climb in a DB. It basically not to eat well (simple examples resulted above).
And about the decision of problems with productivity generally it is possible to extinguish light. What program dropped the server it is necessary long and to be picked tiresomely broad gulls now not only a DB, but still API. Super!

19

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

And what difference in this case.
One or  a DB-> API (for access to these bases)-> is a lot of applications.

.
What difference what doctor, the gynecologist or the surgeon. All same).

20

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

well to write down me in pure administrators I did not become smile, I managed on a Fortran .

in firm there is an intranet and a web application in an internal network?

21

Re: ASP.NET Core does not implement impersonation

Petro123;
Yes

22

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

Petro123;
Yes

here also tell that for  there walks in  through a pool of connections.

23

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

it is passed...
Good question, in a point, here only not to me, and to our developers. They similar too solved - all are done also by us will be.
Fairly, no concept I have what for. It is simply presented with a fait accompli. And now it is necessary to live somehow with it.
In many offices so, in the beginning developers , and then consult. And to rewrite already laziness.

And what there to rewrite? In what complexities to change a line of connection with Windows-autentifikatsii to DBMS authentification?
Your arguments as DBA to me are clear, but you as DBA can lay down a condition to the developer "Here this your program should climb in a DB under such login and the password. A point". Both wolves are full also the data are whole.
I will repeat, it only a question of a line of connection. Or there are still any stones which you do not sound, for example administrators who impose AD.

24

Re: ASP.NET Core does not implement impersonation

Idol_111 wrote:

Once again I will describe that me disturbs as :
A little programs address to API and then being depersonalized under ONE login climb in a DB. It basically not to eat well (simple examples resulted above).
And about the decision of problems with productivity generally it is possible to extinguish light. What program dropped the server it is necessary long and to be picked tiresomely broad gulls now not only a DB, but still API. Super!

here I address to delivery service that they gave me addresses where it is possible also the price. On yours they to me that do the connection?
The tail correctly tells all to you.
Problems with performance - as it dares at the expense of different ?
If the program dropped a site for this purpose is for example  or  if in file broad gulls  to search that collects as much as possible all and to give in a convenient type.
If your programs climb through one general  that cancelled nobody their authorization and implementation of the rights to understand who and whence that made and that can  make. To shift  on level  to  it there is no good practice in a web, for  I still would understand on a basis  AD.

25

Re: ASP.NET Core does not implement impersonation

Shocker. Pro;
You, seemingly, did not catch a problem essence a little.
Windows authentication (on yours - through AD) it is better than SQL login for many reasons (include safety).
And at each program is AD account which is used for connection to API.
Me as  does not arrange that then API it is connected to a DB under one general login.