Working with IServerSecurity

The server obtains the IServerSecurity interface by invoking CoGetCallContext(). This is the only easy way for the server to work with successfully negotiated security parameters from the client.

IServerSecurity*   pSS;
CoGetCallContext( IID_IServerSecurity, (void **)&pSS );

To get more information on the security blanket from the client, the server may invoke:

HRESULT CoQueryClientBlanket( DWORD* pAuthnSvc,
                              DWORD* pAuthzSvc,
                              OLECHAR** pServerPrincName,
                              DWORD* pAuthnLevel,
                              DWORD* pImpLevel,
                              RPC_AUTHZ_HANDLE* pPrivs,
                              DWORD* pCapabilities );

One of the interesting new fields here is the pPrivs (the type is really a void **) which is set to point to a Unicode string identifying the client. The caller must not modify the string in any way. The default NTLM security provider will return an Domain\\User value.

In order to access resources with the client's security context, the server can impersonate the client of this call and then revert to its own security context when done. You can use the wrapper functions for the IServerSecurity interface for this:

CoImpersonateClient();
//access resources
...
CoRevertToSelf();

© 1997 by Wrox Press. All rights reserved.