The JEDI Windows Security Code Library is a bunch of Delphi classes that brings Delphi programmers an easy access to the Windows Security programming which uses complex C style.

How can this library make work easier?

Here is a code that checks whether the current user has a desired access to a arbitrary file.
The following code snippet was created by Luckie and can be get here.

  1.  
  2. function CheckAccessToFile(DesiredAccess: DWORD; const FileName: WideString): Boolean;
  3. const
  4.   GenericFileMapping     : TGenericMapping = (
  5.     GenericRead: FILE_GENERIC_READ;
  6.     GenericWrite: FILE_GENERIC_WRITE;
  7.     GenericExecute: FILE_GENERIC_EXECUTE;
  8.     GenericAll: FILE_ALL_ACCESS
  9.     );
  10. var
  11.   LastError              : DWORD;
  12.   LengthNeeded           : DWORD;
  13.   SecurityDescriptor     : PSecurityDescriptor;
  14.   ClientToken            : THandle;
  15.   AccessMask             : DWORD;
  16.   PrivilegeSet           : TPrivilegeSet;
  17.   PrivilegeSetLength     : DWORD;
  18.   GrantedAccess          : DWORD;
  19.   AccessStatus           : BOOL;
  20. begin
  21.   Result := False;
  22.   LastError := GetLastError;
  23.   if not GetFileSecurityW(PWideChar(FileName), OWNER_SECURITY_INFORMATION or
  24.     GROUP_SECURITY_INFORMATION or DACL_SECURITY_INFORMATION, nil, 0,
  25.     LengthNeeded) and (GetLastError <> ERROR_INSUFFICIENT_BUFFER) then
  26.     Exit;
  27.   SetLastError(LastError);
  28.   Inc(LengthNeeded, $1000);
  29.   SecurityDescriptor := PSecurityDescriptor(LocalAlloc(LPTR, LengthNeeded));
  30.   if not Assigned(SecurityDescriptor) then
  31.     Exit;
  32.   try
  33.     if not GetFileSecurityW(PWideChar(FileName), OWNER_SECURITY_INFORMATION or
  34.       GROUP_SECURITY_INFORMATION or DACL_SECURITY_INFORMATION,
  35.       SecurityDescriptor, LengthNeeded, LengthNeeded) then
  36.       Exit;
  37.     if not ImpersonateSelf(SecurityImpersonation) then
  38.       Exit;
  39.     try
  40.       if not OpenThreadToken(GetCurrentThread, TOKEN_QUERY or
  41.         TOKEN_IMPERSONATE or TOKEN_DUPLICATE, False, ClientToken) then
  42.         Exit;
  43.       try
  44.         AccessMask := DesiredAccess;
  45.         MapGenericMask(AccessMask, GenericFileMapping);
  46.         PrivilegeSetLength := SizeOf(TPrivilegeSet);
  47.         if AccessCheck(SecurityDescriptor, ClientToken, AccessMask,
  48.           GenericFileMapping, PrivilegeSet, PrivilegeSetLength, GrantedAccess,
  49.           AccessStatus) then
  50.           Result := AccessStatus;
  51.       finally
  52.         CloseHandle(ClientToken);
  53.       end;
  54.     finally
  55.       RevertToSelf;
  56.     end;
  57.   finally
  58.     LocalFree(HLOCAL(SecurityDescriptor));
  59.   end;
  60. end;

You see the pointer arithmetic and the maybe unknown api function calls?

Ok, let’s see what JWSCL can do for us.

  1.  
  2. function CheckAccessToFile(
  3.   DesiredAccess: DWORD; const FileName: WideString): Boolean;
  4. var FileObject : TJwSecureFileObject;
  5. begin
  6.   FileObject := TJwSecureFileObject.Create(FileName);
  7.   try
  8.     result := FileObject.AccessCheck(DesiredAccess);
  9.   finally
  10.     FileObject.Free;
  11.   end;
  12. end;

If you dont think : “Whoa, what a difference.” you are either a c programming guru with much knowledge in windows security programming or you just didnt read it right.

So you see the typical Delphi class structure?

Did you ever bother about the following terms?

  • LSA
  • token
  • privilege
  • impersonation
  • SId
  • desktop
  • window station
  • Vista elevation
  • DACL, SACL
  • ACE
  • security descriptor
  • security descriptor editor
  • generic mask mapping
  • file, registry security (DACL, SACL)
  • user credentials (principal)

All these terms and even more are encapsulated in Delphi classes that are simple to use in comparison to the C style which is used by the Windows API.

The goal of this library is therefore to hide the complex structure of the windows security API and let the programmer concentrate on the real task.
The goal of this library is not to teach programmer how to program in windows security. A programmer should always know what she/he is doing. This is more true to programming in windows security.

Send post as PDF to www.pdf24.org
convert this post to pdf.