We are migrating an ASP app to ASP.Net, but not all at one time as my business customers within the company won't pay for that kind of time all at once. So we are migrating piece-by-piece as we develop new functions within the app. Our plan is to develop all new pages using .Net, and convert classic ASP pages as we have to touch them due to new development. To get the remaining pages converted, we are just going to squeeze them in as often as possible along with the new development, mostly on a one or two at a time basis. So probably of the next 6-12 months the ASP and ASP.Net applications will coexist and appear to the users to be one application.
Right now, we have done what we considered the basic conversion necessary to implement our plan:
- Convert the login process to .Net. We are using Forms authentication since users are checked from our own database. We may migrate this to LDAP sometime in the future. My company uses Novell Netware for network login and GroupWise for email. I would love to hear from anyone who has a web app that can create appointments in GroupWise!!
- Move frequently used Session variables to cookies. Luckily, we were not using lots of Session variables in the classic ASP. We encrypt all the data written to the cookies so spoofing is harder. We are currently not a web farm, but that is also in our future so the Session variables need to go anyway.
- Create a common time-out scheme between the applications using a cookie. The ASP app times out after 35 minutes of inactivity for what the HR folks call “security“, as the app contains lots of personal information about both employees and non-employees.
- Convert common functions to .Net (like checking user roles, encryption, database access, search engine, etc.)
- Convert ASP includes for page structure into .ascx files.
Of course, none of this has gone into production yet (sigh...). It is on the test sever and hopefully will roll out by the end of the month.
I figure this first post can be an “About Me” to let readers know what to expect here.
I have been developing application sites with ASP since 1998 or so, mostly straight ASP, but some COM objects. I am currently part of a small team (2 of us) that develops an in-house application for my employer (MSX International in the Detroit area). It is an ASP app that is used internally. We are currently finishing up a small job board that will be part of the external web site and the job board part is 100% ASP.Net. We are about 6 months into the project, which is yet to be released, due to political problems within the company and also some feature creep.
At the same time, we are slowly converting the internal app that I work on from ASP to ASP.Net. We encountered some stumbling blocks along the way, but impressively all the answers were found within the .Net framework.
The main thread of this blog is to describe the stumbling blocks and how we overcome them.
All right, now that I have done a bunch of talking, how about some code? I stumbled across this recently while pouring through MSDN. The code lets you impersonate any other user, provided you know the credentials. In our case we needed to become the IIS user so we could access files on a remote file server. In our situation, there are multiple web applications within our domain, so the network admin has set up the IIS sites to all use a common domain-wide anonymous user, so it is easier for him to manage permissions. As we are the first .Net project, the ASPNet user has no rights whatsoever on the network. We talked with the admin and he was not interested in giving the ASPNet users from a bunch of different web servers rights to other network resources. We looked at changing the ASPNet user credentials Machine.config, but this broke debugging locally immediately. So I looked into impersonation and found out how to impersonate the IIS user in code:
Imports System.Security.PrincipalFunction impersonateAnonymous() As WindowsImpersonationContext
'Grab the current Http context
Dim context As HttpContext = HttpContext.Current
'Set up a Service Provider based on this context
Dim iServiceProvider As iServiceProvider = CType(context, iServiceProvider)
'Create a type which represents an HTTPContext
Dim httpWorkerRequestType As Type = GetType(HttpWorkerRequest)
'Get the HttpWorkerRequest service from the service provider
Dim workerRequest As HttpWorkerRequest = _
CType(iServiceProvider.GetService(httpWorkerRequestType), HttpWorkerRequest)
'Get the token passed by IIS from the workerRequest service
Dim ptrUserToken As IntPtr = workerRequest.GetUserToken()
'Create a Windows Identity from the token
Dim winIdentity As New WindowsIdentity(ptrUserToken)
'Send back the IIS identity
Return winIdentity.Impersonate
End Function
To use the function, simply call it like so before the code that needs proper permissions:
Dim impContext As WindowsImpersonationContext = impersonateAnonymous()
Now the subsequent lines of code operate in the context of the user assigned to IIS. And then when you are done impersonating:
impContext.Undo()
I based this function on some C# code I found in a Patterns & Practices document on MSDN: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch10.asp