Sometimes it is necessary to retrieve a user’s token or act as a user who is logged on. By default a service uses the SYSTEM token and this leads to a security problem. If a service solves tasks send by another low privileges process (client), the client can do things it shouldn’t do. For this [...]

I found this very interesting article about exceptions. You should read “Ten Things (or more) You Might Not Know About Exception Handling in Delphi” (or get it from  Google Cache) and learn why exception inheritance ist important. The same reason applies to the exceptions of the JWSCL. EJwsclSecurityException is the main exception inherited from [...]

If you try to make your application more secure against external plugins (or better code) by impersonating a low privileged user and then call the plugin function, isn’t that wise. You could also do nothing which has the same effect. Malicious code can easily revert to the process token by calling the API RevertToSelf though.
If [...]

This is the road map of JWA and JWSCL for the year 2008.

Add and test Rudy Velthuis headers for Delphi to JWA (done but needs review)
Implement COM interfaces and classes for JWSCL
Implement new Winsta (Terminal Service) declarations for JWA and JWSCL
Convert embedded source documentation to Doc-o-Matic (of course buy that nice software) (JWSCL)
Create tons of [...]

Whenever you impersonate a running thread and create a new thread while impersonating, your new thread will not get impersonated, too. The new thread will run without any thread token and thus a called function will use the process token instead. So you have to impersonate the new thread again. Ignoring that fact may [...]

I was asked if we had implemented LsaLogonUser - the function from hell. Yes, we did. You can find it in the online documation @ JwsclLsa.TJwSecurityLsa.LsaLogonUser (Unit.Class.Method). LsaLogonUser and JwsclToken.TJwSecurityToken.CreateNewToken are not documented at the moment.
However:
These functions should only used for a really good reason. Otherwise the system security can be breached.

Send post as PDF [...]

Many people add a “requireAdministrator” manifest to their Application to get elevation in Vista. However this is not needed all the time so there is a second way that allows to elevate even in Windows XP.
The solution is to restart the application with ShellExecute and the “runas” verb. In Vista you’ll get the elevation prompt, [...]

This simple code excerpt can only be run under SYSTEM account (say in a service). It retrieves the token from the logged on user - especially the user at the physical console. Or in other words the user data of the person that sits in front of the computer. The main code which does the [...]

This is just an index of available units of the JEDI Windows Security Code Library. Find out more about these units in the corresponding help documentation by clicking on it. The help is also available from the JWSCL doc site. And if you seek an offline version with search function, download it directly from [...]

A NULL-DACL (or nil if you wish) defines a none existing discretionary access control list. If the system encounters such a nil pointer, it automatically grants access to all principals including foreigners who are not authenticated.

WinAPI receives a nil pointer and checks for a flag like SE_DACL_PRESENT (security descriptor flag) or DACL_SECURITY_INFORMATION (functions like [...]