The JEDI Windows Security Code Library is a bunch of Delphi classes that brings Delphi programmers an easy access to the Windows Security programming which uses complex C style.

How can this library make work easier?

Here is a code that checks whether the current user has a desired access to a arbitrary file.
The following code snippet was created by Luckie and can be get here.

function CheckAccessToFile(DesiredAccess: DWORD; const FileName: WideString): Boolean;
const
  GenericFileMapping     : TGenericMapping = (
    GenericRead: FILE_GENERIC_READ;
    GenericWrite: FILE_GENERIC_WRITE;
    GenericExecute: FILE_GENERIC_EXECUTE;
    GenericAll: FILE_ALL_ACCESS
    );
var
  LastError              : DWORD;
  LengthNeeded           : DWORD;
  SecurityDescriptor     : PSecurityDescriptor;
  ClientToken            : THandle;
  AccessMask             : DWORD;
  PrivilegeSet           : TPrivilegeSet;
  PrivilegeSetLength     : DWORD;
  GrantedAccess          : DWORD;
  AccessStatus           : BOOL;
begin
  Result := False;
  LastError := GetLastError;
  if not GetFileSecurityW(PWideChar(FileName), OWNER_SECURITY_INFORMATION or
    GROUP_SECURITY_INFORMATION or DACL_SECURITY_INFORMATION, nil, 0,
    LengthNeeded) and (GetLastError <> ERROR_INSUFFICIENT_BUFFER) then
    Exit;
  SetLastError(LastError);
  Inc(LengthNeeded, $1000);
  SecurityDescriptor := PSecurityDescriptor(LocalAlloc(LPTR, LengthNeeded));
  if not Assigned(SecurityDescriptor) then
    Exit;
  try
    if not GetFileSecurityW(PWideChar(FileName), OWNER_SECURITY_INFORMATION or
      GROUP_SECURITY_INFORMATION or DACL_SECURITY_INFORMATION,
      SecurityDescriptor, LengthNeeded, LengthNeeded) then
      Exit;
    if not ImpersonateSelf(SecurityImpersonation) then
      Exit;
    try
      if not OpenThreadToken(GetCurrentThread, TOKEN_QUERY or
        TOKEN_IMPERSONATE or TOKEN_DUPLICATE, False, ClientToken) then
        Exit;
      try
        AccessMask := DesiredAccess;
        MapGenericMask(AccessMask, GenericFileMapping);
        PrivilegeSetLength := SizeOf(TPrivilegeSet);
        if AccessCheck(SecurityDescriptor, ClientToken, AccessMask,
          GenericFileMapping, PrivilegeSet, PrivilegeSetLength, GrantedAccess,
          AccessStatus) then
          Result := AccessStatus;
      finally
        CloseHandle(ClientToken);
      end;
    finally
      RevertToSelf;
    end;
  finally
    LocalFree(HLOCAL(SecurityDescriptor));
  end;
end;

You see the pointer arithmetic and the maybe unknown api function calls?

Ok, let’s see what JWSCL can do for us.

function CheckAccessToFile(
  DesiredAccess: DWORD; const FileName: WideString): Boolean;
var FileObject : TJwSecureFileObject;
begin
  FileObject := TJwSecureFileObject.Create(FileName);
  try
    result := FileObject.AccessCheck(DesiredAccess);
  finally
    FileObject.Free;
  end;
end;

If you dont think : “Whoa, what a difference.” you are either a c programming guru with much knowledge in windows security programming or you just didnt read it right.

So you see the typical Delphi class structure?

Did you ever bother about the following terms?

  • LSA
  • token
  • privilege
  • impersonation
  • SId
  • desktop
  • window station
  • Vista elevation
  • DACL, SACL
  • ACE
  • security descriptor
  • security descriptor editor
  • generic mask mapping
  • file, registry security (DACL, SACL)
  • user credentials (principal)

All these terms and even more are encapsulated in Delphi classes that are simple to use in comparison to the C style which is used by the Windows API.

The goal of this library is therefore to hide the complex structure of the windows security API and let the programmer concentrate on the real task.
The goal of this library is not to teach programmer how to program in windows security. A programmer should always know what she/he is doing. This is more true to programming in windows security.