Last post Apr 06, 2017 08:44 AM by Scout7
Apr 05, 2017 11:12 AM|Scout7|LINK
Hi all, I have inherited a rather, shall we say, organic project that I have been asked to improve authroization and authentication to the web.api for which I have used Oauth2 and Identity2 which is all good BUT for some bizarre reason the service layer
of this project has a dependency on Thread.CurrentPrincipal.Identity.Name which I think is a bad idea as it makes it massively problematic to decouple this layer and ideally should be passed in as a property in my opinion. Unfrotunately there is no concept
of dependency injection for this project and I certainly cannot rewrite everything to accommodate it. So my question is does anyone have any idea how best I could get around the Thread.CurrentPrincipal.Identity.Name problem.
I am thinking of maybe a base class that all services inherit that has a propertyfor the name, but is there a way that I can set this without having to set it on every instantiation of every single class that inherits the base class? is there a way to globally
set it someway else?
Apr 06, 2017 08:26 AM|Zhi Lv - MSFT|LINK
So my question is does anyone have any idea how best I could get around the Thread.CurrentPrincipal.Identity.Name problem.
Do you want to disable the Thread.CurrentPrincipal in your project?
As we all known, Thread.CurrentPrincipal sets the thread's current principal (for role-based security). Using Thread.CurrentPrincipal is arguably more secure, if your library is using the principal for authorization purposes, because untrusted code can pass
in a principal as an argument, while CAS might prevent it from setting Thread.CurrentPrincipal.
So, from my point of view, I not suggest you disable it.
Apr 06, 2017 08:44 AM|Scout7|LINK
Thank you for your reply, I certainly do not want to disable it if I can avoid it but it feels sort of wrong to have a dependency on it in a service layer, just my opinion.
Whilst I can live with having it in place a new related issue has arisen where after validating my user with an Oauth refresh token a subsequent call to this particular service layer results in the Thread.Current.Principal.Name not being set, which is suggestive
of the CurrentPrinciple having not been set at this point OR the query is being executed from a different Thread?