2

I'm confused why in WebAPI it's needed to set the Principal, since each call is totally stateless. What's the benefit and the reason for set it up with your logged user info since each call is expected to be totally Stateless?

I was under the impression that one logged user was getting a server created token and that was the key that needed to be sent back and forward on each call, till the user decided to either log-off or the token expired?

public Product Get(int id)
{
    string token = GetHeaderTokenSecurityAccess();
    return DataLayer.GetProduct(token, id);
}

What's the main reason to "need" to set the IPrincipal in this case?

SF Developer
  • 5,244
  • 14
  • 60
  • 106
  • and how do you think a token is translated into a "user context" on each request? :-) – Filip W Oct 11 '13 at 07:21
  • Web API 2.0 puts the Principal on the HttpRequestContext where it belongs in my opinion. It still updates the static Thread.Principal but that's to support existing code that depends on it. – Darrel Miller Oct 11 '13 at 11:23
  • @FilipW A token to me could be a "GUID" value that my DataLayer gave the logged user and now checks vs the Database to see if the user is a recognized and approved user. Where is the user Context needed there? – SF Developer Oct 12 '13 at 19:25
  • For some edge cases see http://leastprivilege.com/2013/03/11/alternative-to-thread-currentprincipal-in-asp-net-web-api/ and http://leastprivilege.com/2012/06/25/important-setting-the-client-principal-in-asp-net-web-api/ – Matija Grcic Oct 14 '13 at 13:15

1 Answers1

2

Principal is .NET's Identity mechanism.

Identity is a concept that encompasses all layers and not just API Layer. So all layers underneath need a way to access current caller's identity and this is implemented by setting Thread Local Storage context which includes Principal.

Aliostad
  • 80,612
  • 21
  • 160
  • 208
  • Out of curiosity, do you know what bits of the .net framework actually do depend on the Thread.Principal value? – Darrel Miller Oct 11 '13 at 11:24
  • @DarrelMiller best person to ask is leastprivileg. But AFAIK identity is a domain concern and not the framework so I do not believe framework uses the value. – Aliostad Oct 11 '13 at 12:32
  • @Aliostad If an API looks like "GetProduct" is it mandatory to set the Identity on the Framework in order to call a separate DataLayer that will return that Product data? I don't get it ...please advise – SF Developer Oct 12 '13 at 19:22
  • @Developer not mandatory. Only if you want to use current user to do Authorization – Aliostad Oct 13 '13 at 18:01
  • @DarrelMiller It's a domain concern as any .NET class implementing the IPrincipal interface is a valid Principal object. References http://msdn.microsoft.com/en-us/library/ftx85f8x.aspx and http://www.informit.com/articles/article.aspx?p=102217 – Matija Grcic Oct 14 '13 at 12:50
  • I forgot to include the following article http://blogs.msdn.com/b/pfxteam/archive/2012/06/15/executioncontext-vs-synchronizationcontext.aspx which explains propagation to new threads and CurrentPrincipal. – Matija Grcic Oct 14 '13 at 13:05