Feedback on ASP.NET Web API

Consistent Integration with Host Security

The host integration plumbing should be consisten when copying host established client identity to WebAPI.

The logic should be:

- If the host has established a client identity, copy it to the request message.
- If not, set up an anonymous principal.

Currently, in web hosting the client id is always copied, in self hosting only for windows auth.

This will lead to situations where HttpRequestMessage.GetUserPrincipal() returns null.

9 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Dominick Baier shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
completed  ·  Daniel Roth responded  · 

We now consistently use Threat.CurrentPrincipal as the contract between ASP.NET Web API and the host.

0 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base