Implementing an internet facing MOSS 2007 site, where a small set of users will have contributer rights in Sharepoint. We are using a custom HttpModule for authentication, which assigns a custom principal to HttpApplication.Context.User. This principal is used by Sharepoint for identity and access control. Using .Net 2.0 I can use something like this: WindowsIdentity id = new WindowsIdentity("fred@bedrock.com"); httpApp.Context.User = new WindowsPrincipal(id); This gives me a token with an impersonation level of "Identification" (unless I configured S4U protocol transition) - which should not be of any use for accessing local or remote resources. But it seeems to work just fine inside Sharepoint - if the user with the UPN given in the code above is is a member of "Site Owners" that user gets full access to the site. This seems to be something of a security issue, given how easy it is to construct such a token. Is this a known issue or intended/expected behaviour in MOSS2007/WSS 3.0? (originally posted to Sharepoint.devandprog forum - no reply, rephrased and posted here)
