快取存取檢查
當應用程式呼叫 AuthzAccessCheck 函式來執行存取檢查時,可以快取該存取檢查的結果。 當AuthzAccessCheck函式的pAuthzHandle參數不是Null時,函式會執行個別的存取檢查,並要求ACCESS_MASK MAXIMUM_ALLOWED,並快取該檢查的結果。 然後,該檢查結果的控制碼可以當做 AuthzHandle 參數傳遞至 AuthzCachedAccessCheck 函式。 這可加快特定用戶端和安全性 描述元的存取檢查速度。
只能快取存取檢查的靜態部分。 每個存取檢查都必須評估包含PRINCIPAL_SELF SID 的回呼存取控制專案 (ACE) 或 ACE。
當搭配邏輯運算子使用時,屬性變數的格式必須是運算式;否則,系統會將其評估為未知。
範例
下列範例會根據先前存取檢查的快取結果檢查來檢查存取權。 先前的存取檢查是在 使用 Authz API 檢查存取的範例中執行。
BOOL CheckCachedAccess(AUTHZ_CLIENT_CONTEXT_HANDLE hClientContext)
{
#define MY_MAX 4096
PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
ULONG cbSecurityDescriptorSize = 0;
AUTHZ_ACCESS_REQUEST Request;
CHAR ReplyBuffer[MY_MAX];
CHAR CachedReplyBuffer[MY_MAX];
PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY)ReplyBuffer;
PAUTHZ_ACCESS_REPLY pCachedReply = (PAUTHZ_ACCESS_REPLY)CachedReplyBuffer;
DWORD AuthzError =0;
AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hCached;
//Allocate memory for the access request structure.
RtlZeroMemory(&Request, sizeof(AUTHZ_ACCESS_REQUEST));
//Set up the access request structure.
Request.DesiredAccess = READ_CONTROL;
//Allocate memory for the initial access reply structure.
RtlZeroMemory(ReplyBuffer, MY_MAX);
//Set up the access reply structure.
pReply->ResultListLength = 1;
pReply->Error = (PDWORD) ((PCHAR) pReply + sizeof(AUTHZ_ACCESS_REPLY));
pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
pReply->SaclEvaluationResults = NULL;
//Allocate memory for the cached access reply structure.
RtlZeroMemory(ReplyBuffer, MY_MAX);
//Set up the cached access reply structure.
pCachedReply->ResultListLength = 1;
pCachedReply->Error = (PDWORD) ((PCHAR) pCachedReply + sizeof(AUTHZ_ACCESS_REPLY));
pCachedReply->GrantedAccessMask = (PACCESS_MASK) (pCachedReply->Error + pCachedReply->ResultListLength);
pCachedReply->SaclEvaluationResults = NULL;
//Create security descriptor.
if(!ConvertStringSecurityDescriptorToSecurityDescriptor(
L"O:LAG:BAD:(A;;RC;;;BA)",
SDDL_REVISION_1,
&pSecurityDescriptor,
NULL))
{
printf_s("ConvertStringSecurityDescriptorToSecurityDescriptor failed with %d\n", GetLastError());
return FALSE;
}
//Call AuthzAccessCheck and cache results.
if(!AuthzAccessCheck(
0,
hClientContext,
&Request,
NULL,
pSecurityDescriptor,
NULL,
0,
pReply,
&hCached))
{
printf_s("AuthzAccessCheck failed with %d\n", GetLastError());
LocalFree(pSecurityDescriptor);
return FALSE;
}
//Call AuthzCachedAccessCheck with the cached result from the previous call.
if(!AuthzCachedAccessCheck(
0,
hCached,
&Request,
NULL,
pCachedReply))
{
printf_s("AuthzCachedAccessCheck failed with %d\n", GetLastError());
LocalFree(pSecurityDescriptor);
AuthzFreeHandle(hCached);
return FALSE;
}
//Print results.
if(*pCachedReply->GrantedAccessMask & READ_CONTROL)
{
printf_s("Access granted.\n");
}
else
{
printf_s("Access denied.\n");
}
LocalFree(pSecurityDescriptor);
AuthzFreeHandle(hCached);
return TRUE;
}
相關主題