Las reclamaciones en Thread.CurrentPrincipal se están perdiendo y están configuradas en AfterReceiveRequest en WCF

Estoy utilizando Microsoft.IdentityModel.dll for Set & Get the claims in WCF. Yo he implementado MessageInspectors also for setting up the claims. So, I am adding ClaimsIdentity for request headers like below from client side.

public object BeforeSendRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel)
{
    var claims = new List<Claim> { new Claim(UserIdClaim, "12345"), };
    ClaimsIdentity claimsIdentity = new ClaimsIdentity(claims);
    MessageHeader<ClaimsIdentity> header = new MessageHeader<ClaimsIdentity>(claimsIdentity);
    var untypedHeader = header.GetUntypedHeader(ClaimsName, ClaimsNameSpace);
    request.Headers.Add(untypedHeader);

    return null;
}

And service side,

public object AfterReceiveRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel, System.ServiceModel.InstanceContext instanceContext)
{
    ClaimsIdentity claimsIdentity = request.Headers.GetHeader<ClaimsIdentity>(ClaimsName, ClaimsNameSpace);
    var claimsIdentitylst = new ClaimsIdentityCollection(new List<IClaimsIdentity> { claimsIdentity });
    IClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsIdentitylst);
    Thread.CurrentPrincipal = claimsPrincipal;

    return null;
}

I am trying to access the claim values in method implementation(OperationContract) which are set in AfterReceiveRequest like below. But the claims are not available in Thread.CurrentPrincipal.

var userIdClaim = ((IClaimsIdentity)Thread.CurrentPrincipal.Identity).Claims.First(c => c.ClaimType == UserIdClaim);

userIdClaim es nulo aquí.

¿Alguna idea?

preguntado el 05 de mayo de 13 a las 18:05

Is claims showed by debug in Thread.CurrentPrincipal inside AfterReceiveRequest? -

@DanilaPolevshikov, It has. -

3 Respuestas

Well - besides what you are doing is very uncommon practice - there is only one place in the WCF pipeline where you can safely set Thread.CurrentPrincipal. That's in a service authorization manager when PrincipalPermissionMode is set to Custom.

Typically you would rather pass the claims as part of a security token (like SAML) and let WCF do the server side plumbing for you.

contestado el 06 de mayo de 13 a las 07:05

Any code samples to implement this or any blogs which will explain indetail? I didn't get clear picture. - Prasad Kanaparthi

Ran into this issue on a legacy WCF service when switching to https (oddly enough it didn't happen under http). Quick and dirty fix is to set the principalPermissionMode a None.

<system.serviceModel>
    <behaviors>
        <serviceBehaviors>
            <behavior>
                <serviceAuthorization principalPermissionMode="None" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

Respondido el 20 de Septiembre de 22 a las 16:09

You might have good reasons to do this by hand, but passing of identity in wcf is handled out of the box with a wsFederationHttpBinding. You can find examples in the WIF SDK or online at http://msdn.microsoft.com/nl-be/library/aa355045.aspx .

contestado el 05 de mayo de 13 a las 19:05

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.