We have code that has a DelegatingHandler that sets Thread.CurrentPrincipal to an IClaimsPrincipal early in the pipeline. This has been working just fine for months. Recently we've enabled a custom TraceWriter using the following code:
httpConfiguration.Services.Replace(typeof(ITraceWriter), new TraceWriter());
This seems to cause a greater level of thread agility and Thread.CurrentPrincipal is not being propagated to the new thread. I'm presuming this also means that it might not get cleaned up properly so could result in privilege escalation...
We're running .NET 4.0 with the ASP.NET 4.0 Web API RC. Our code essentially looks like this (greatly simplified):
internal class AuthenticationMessageHandler : DelegatingHandler
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
Thread.CurrentPrincipal = ClaimsPrincipal.CreateFromIdentities(...);
return base.SendAsync(request, cancellationToken);
Then a controller accesses the IClaimsPrincipal as follows:
IClaimsPrincipal claimsPrincipal = Thread.CurrentPrincipal.AsClaimsPrincipal();
this returns null because Thread.CurrentPrincipal from the handler hasn't been propagated to the thread that the controller is running on...