I have a custom ServiceAuthorizationManager where i override CheckAccess and validate a custom auth token that is part of the URL. After i validate, i set the Thread.CurrentPrincipal with a GenericPrincipal. But when the request finally reaches my service method, Thread.CurrentPrincipal is gone, it is not what i set in the auth manager. What's going wrong?
Asked
Active
Viewed 3,533 times
2 Answers
6
I got around this by setting principalPermissionMode="None" in the service behavior where i register the service auth manager. This is supposed to tell the wcf runtime not to put any principal in the current thread. If you set it to "custom", it overwrites whatever principal you set using a GenericPrincipal.
sash
- 501
- 1
- 6
- 14
-
So how are you doing the custom auth you mentioned? Is this possible using a PrincipalPermissionMode of 'None'? – Phil Degenhardt Oct 22 '11 at 00:12
-
I send out a auth ticket during login and the client keeps track of it and uses it in subsequent services. If the authticket is not valid i just return false from my ServiceAuthorizationManager implementation. If it is valid i set a generic principal on the currrent thread. If you don't set principalPermissionMode to None, the generic principal you just set will be overwritten somewhere down the line. – sash Oct 24 '11 at 13:51
1
If you do not wish to use the built-in mechanisms for authorization, WCF requires that the current principal be identified via an IAuthorizationPolicy to be properly integrated in the WCF pipeline. You will need to specify and PrincipalPermissionMode of 'Custom'.
For a detailed introduction see this article: Authorization In WCF-Based Services
Phil Degenhardt
- 7,215
- 3
- 35
- 46