P
Peter Bradley
Hi,
I'm writing a Web service (the first one I've ever written in anger, by the
way) that has to do some AD manipulation and then has to create some
directories on some remote servers. Doing the AD stuff is fine, because I
can pass in suitable credentials: however this is not the case (AFAIK) with
the folder manipulation code. Here's an example of the kind of thing I want
to do:
....
// Create a new DirectoryInfo object
DirectoryInfo dInfo = new DirectoryInfo(@\\ourserver +
ProfilePathInfix +
"ade" +
@"\" +
_Personal_ID.ToLower());
if (!dInfo.Exists)
{
dInfo.Create();
}
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity dSecurity = dInfo.GetAccessControl();
// Add the FileSystemAccessRule to the security settings.
dSecurity.AddAccessRule(new FileSystemAccessRule(@"OURDOMAIN\" +
_Personal_ID, FileSystemRights.FullControl, AccessControlType.Allow));
// Set the new access settings.
dInfo.SetAccessControl(dSecurity);
....
It seems to me that I have a couple of options:
* Have the Web service run as a privileged user
* Call a remote service that runs as a privileged user
I'd be glad to get any advice anyone can give on which option would be
better.
Personally, I'm not too worried about having the Web service run as a
privileged user, because it will be running on an internal server,
innaccessible from outside and only ever called from its own local host. So
I should be able to configure it to be pretty secure.
However, on a practical level, VS2005 doesn't create the Web service on the
development box Web server. As far as I can see, you have to publish the
service first. Does that mean that if I opt for the first choice (run as
privileged user) I will not be able to debug it in VS as a privileged user?
Cheers
Peter
I'm writing a Web service (the first one I've ever written in anger, by the
way) that has to do some AD manipulation and then has to create some
directories on some remote servers. Doing the AD stuff is fine, because I
can pass in suitable credentials: however this is not the case (AFAIK) with
the folder manipulation code. Here's an example of the kind of thing I want
to do:
....
// Create a new DirectoryInfo object
DirectoryInfo dInfo = new DirectoryInfo(@\\ourserver +
ProfilePathInfix +
"ade" +
@"\" +
_Personal_ID.ToLower());
if (!dInfo.Exists)
{
dInfo.Create();
}
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity dSecurity = dInfo.GetAccessControl();
// Add the FileSystemAccessRule to the security settings.
dSecurity.AddAccessRule(new FileSystemAccessRule(@"OURDOMAIN\" +
_Personal_ID, FileSystemRights.FullControl, AccessControlType.Allow));
// Set the new access settings.
dInfo.SetAccessControl(dSecurity);
....
It seems to me that I have a couple of options:
* Have the Web service run as a privileged user
* Call a remote service that runs as a privileged user
I'd be glad to get any advice anyone can give on which option would be
better.
Personally, I'm not too worried about having the Web service run as a
privileged user, because it will be running on an internal server,
innaccessible from outside and only ever called from its own local host. So
I should be able to configure it to be pretty secure.
However, on a practical level, VS2005 doesn't create the Web service on the
development box Web server. As far as I can see, you have to publish the
service first. Does that mean that if I opt for the first choice (run as
privileged user) I will not be able to debug it in VS as a privileged user?
Cheers
Peter