0

I'm trying to execute a search query while impersonating a specific user.

The goal is to have a web service that receives the user login name (via querystring or request header), perform a full text query and give back the results, respecting the security trimming.

Putting it differently I need to get only the results the impersonated user is entitled to see.

My current code is:

            var spUser = SPContext.Current.Web.EnsureUser(loginName);

            HttpRequest request = new HttpRequest("", SPContext.Current.Web.Url, "");

            var web = SPContext.Current.Web;

            HttpContext.Current = new HttpContext(request, new HttpResponse(new StringWriter(CultureInfo.CurrentCulture)));
            if (HttpContext.Current.Items.Contains("HttpHandlerSPWeb"))
            {
                HttpContext.Current.Items["HttpHandlerSPWeb"] = web;
            }
            else
            {
                HttpContext.Current.Items.Add("HttpHandlerSPWeb", web);
            }

            WindowsIdentity identity = WindowsIdentity.GetCurrent();
            typeof(WindowsIdentity).GetField("m_name", BindingFlags.NonPublic | BindingFlags.Instance).SetValue(identity, spUser.LoginName);

            HttpContext.Current.User = new GenericPrincipal(identity, new string[0]);
            identity.Impersonate();

            //execute query here

Basically I'm replacing the current identity before instantiating the FullTextQuery, but it's the same as doing nothing, as the results will only change according to the real logged user, and not the one impersonated.

Any hints here?

Thanks in advance, Cheers !

CarlosRodrigues
  • 83
  • 3
  • 8
  • Have you tried calling WindowsIdentity.GetCurrent(); in your code after impersonation? If yes then what it returns? – Yevgeniy.Chernobrivets Dec 02 '13 at 19:56
  • Also you may want to take a look at custom security trimming http://blogs.msdn.com/b/security_trimming_in_sharepoint_2013/ – Yevgeniy.Chernobrivets Dec 02 '13 at 19:58
  • Hi, after the impersonation I get the user I want to impersonate. It is valid when inside the SPWeb object, but since I call the search service application this identity seems to revert to the logged user. – CarlosRodrigues Dec 02 '13 at 20:07
  • Could you please post code where you make call to search engine? – Yevgeniy.Chernobrivets Dec 02 '13 at 20:16
  • Hi, Right after the impersonation I execute the query like this: https://gist.github.com/myTeamWorks/7765895 Thanks – CarlosRodrigues Dec 03 '13 at 08:34
  • Could you please try another way of impersonating user? When connecting to site using SPSite constructor you can pass it user token. using(var site = new SPSite(SPContext.Current.Web.Url, spUser.UserToken)). Then pass this newly created site object to FullTextSqlQuery constructor. – Yevgeniy.Chernobrivets Dec 03 '13 at 08:52
  • Hi. This was my first attempt, but the result is the same. The impersonation is effective inside the current SPWeb, but not when calling the search service app. – CarlosRodrigues Dec 03 '13 at 10:15
  • What does Thread.CurrentPrincipal.Identity returns? – Yevgeniy.Chernobrivets Dec 03 '13 at 10:37
  • Hi, Thread.CurrentPrincipal.Identity returns the logged user, and not the impersonated one. – CarlosRodrigues Dec 03 '13 at 10:40
  • this post http://social.msdn.microsoft.com/Forums/sharepoint/en-US/9c861956-5b61-4674-90f5-bd57af7681db/sharepoint-fulltextsqlquery-security-trim?forum=sharepointdevelopmentprevious suggests that you do not have acl crawled. Maybe this is the case? – Yevgeniy.Chernobrivets Dec 03 '13 at 10:41
  • Also could you please try to set identity of the thread to user. http://stackoverflow.com/questions/258857/set-identity-of-thread – Yevgeniy.Chernobrivets Dec 03 '13 at 10:43
  • Hi, ACL seems to be OK. For me the problem is on how to pass the impersonated context to the search service application, since it's executed on a different AppPool with a different identity. – CarlosRodrigues Dec 03 '13 at 10:44
  • I've changed the thread identity, but it has no effect on the query results. Maybe because the search service application is executed on a different AppPool (thus different thread). – CarlosRodrigues Dec 03 '13 at 10:55

1 Answers1

0

I was able to get it to work by doing impersonation when running with elevated priveleges. see my post here: http://vishalseth.com/post/2013/11/05/Impersonated-Searching-against-SharePoint.aspx

Vishal Seth
  • 1
  • Hi and welcome to Stack Overflow. Please note that while your answer remains here, the link and its content might change or be removed. Please edit your code to include the relevant information from that link. – Noich Feb 19 '14 at 05:52