When using Custom Username Authentication, is it possible to set Thread.CurrentPrincipal.Identity?

Question

I'm experimenting with a custom UserName validator, and while it seems to work, I've noticed that even when the credentials are passed to the service and validated, other service methods treat the client as unauthenticated.  For example, if I have something like this as the validator:

        public override void Validate(string userName,
            string password)
        {
            // Validate arguments
            if (userName == null)
                throw new ArgumentNullException("userName");
            if (password == null)
                throw new ArgumentNullException("password");

            // Validate username and password
            if (userName != "user" || password != "pass")
            {
                throw new SecurityTokenException(
                    "Invalid username or password.");
            }
        }

The method works as you'd expect.  When I try to do this in the service method though:

string name = Thread.CurrentPrincipal.Identity.Name;
bool IsAuthenticated = Thread.CurrentPrincipal.Identity.IsAuthenticated;

The CurrentPrincipal identifies itself as a WindowsPrincipal, the Name is empty, and IsAuthenticated is false.  I already passed a custom validation though, so why should this be the case?  Is there a way to store the validated credentials in the Validate() method?  Here's what I have in the config for the custom authentication:

          <serviceCredentials>
            <serviceCertificate findValue="chrislaptop2"
                    storeLocation="CurrentUser" storeName="My"
                                x509FindType="FindBySubjectName"/>
            <userNameAuthentication userNamePasswordValidationMode="Custom"
                    customUserNamePasswordValidatorType="TestAuthService.TestAuth, TestAuthService"/>
          </serviceCredentials>

And for the binding:

    <bindings>
      <wsHttpBinding>
        <binding name="UserNameWS">
          <security mode="Message">
            <transport clientCredentialType="None"/>
            <message clientCredentialType="UserName"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

Is there anything else that I'm missing here, or is there a better way to implement custom validation that I'm missing?

Answer 1

Hi,

 I think you can simply assign a new instance of GenericPrincipal / GenericIdentity to the CurrentPrincipal in your Validate method,
 and later you will be able to use .IsAuthenticated and the other methods of the IPrincipal interface.

 --larsw

---

Lars Wilhelmsen | Senior Consultant | Miles, Norway | Connected Systems MVP | http://larswilhelmsen.com/

Answer 2

Hi,

Using "plain" WCF, see http://msdn.microsoft.com/en-us/library/aa702720.aspx or http://www.leastprivilege.com/CustomPrincipalsAndWCF.aspx
Basically, you have to create a custom authorization policy (IAuthorizationPolicy ) and set the "Principal" property of the evaluation context.

If you are using WCF+Geneva FX, then you should define a custom ClaimsAuthenticationManager .

HTH
Pedro Felix

---

http://pfelix.wordpress.com