Thread.CurrentPrincipal已认证,但ClaimsPrincipal.Current未认证 [英] Thread.CurrentPrincipal is authenticated but ClaimsPrincipal.Current is not
问题描述
我正在WebApi项目中使用基于声明的授权,并且有一种方法可以检查当前身份是否已通过身份验证。当我使用 ClaimsPrincipal.Current 时,当前身份未经过身份验证,但是当我使用 Thread.CurrentPrincipal 时,身份是经过身份验证的。 p>
I'm using Claims based Authorization in my WebApi project and have a method where I check if the current Identity is authenticated. When I use ClaimsPrincipal.Current the current Identity is not authenticated but when I use Thread.CurrentPrincipal it is.
ClaimsPrincipal.Current.Identity.IsAuthenticated; //False
Thread.CurrentPrincipal.Identity.IsAuthenticated; //True
这似乎很奇怪,特别是因为 MSDN说 ClaimsPrincipal.Current仅返回Thread.CurrentPrincipal:
This seems strange especially since the MSDN says ClaimsPrincipal.Current just returns Thread.CurrentPrincipal:
备注
默认情况下,返回Thread.CurrentPrincipal。您可以通过设置ClaimsPrincipalSelector属性来指定要调用的
委托来确定当前委托人,来更改
的行为。
By default, Thread.CurrentPrincipal is returned. You can change this behavior by setting the ClaimsPrincipalSelector property to specify a delegate to be called to determine the current principal.
有人可以解释一下为什么 ClaimsPrincipal 没有经过身份验证,而理论上两者都包含相同的身份吗?
Can someone please explain me why ClaimsPrincipal is not authenticated, while both, in theory, contain the same Identity?
推荐答案
简而言之,该文档不正确地说默认情况下它返回 Thread.CurrentPrincipal 。
In short, the documentation is incorrect to say that it returns Thread.CurrentPrincipal by default.
它实际返回的是 ClaimsPrincipal 包装 Thread.CurrentPrincipal (如果实际上不是 ClaimsPrincipal ),则使用以下构造函数:
What it actually returns is a ClaimsPrincipal wrapping Thread.CurrentPrincipal (if it's not, actually, already a ClaimsPrincipal), using this constructor:
public ClaimsPrincipal(IPrincipal principal)
{
this.m_version = "1.0";
this.m_identities = new List<ClaimsIdentity>();
if (principal == null)
{
throw new ArgumentNullException("principal");
}
ClaimsPrincipal principal2 = principal as ClaimsPrincipal;
if (principal2 == null)
{
this.m_identities.Add(new ClaimsIdentity(principal.Identity));
}
else if (principal2.Identities != null)
{
this.m_identities.AddRange(principal2.Identities);
}
}
反过来,如您所愿,返回的 ClaimsIdentity 包装委托人的身份(同样,如果实际上不是,则已经是 ClaimsIdentity )。
This, in turn, as you can hopefully see, is returning a ClaimsIdentity that wraps the principal's identity (again, if it's not, actually, already a ClaimsIdentity).
在构造 ClaimsIdentity 时,我唯一能看到它结束的地方
In constructing the ClaimsIdentity, the only place I can see where it will end up not setting the authentication type (and thus creating an identity that's not authenticated) is here:
if(identity is WindowsIdentity)
{
try
{
this.m_authenticationType = identity.AuthenticationType;
}
catch(UnauthorizedAccessException)
{
this.m_authenticationType = null;
}
}
因此,如果您通过 Thread.CurrentPrincipal.Identity 访问的身份实际上是 WindowsIdentity 实例,并且在您所处的上下文中运行您具有受限权限的情况,构造的 ClaimsIdentity 实例将具有 IsAuthenticated 为false。
So, if the identity you access via Thread.CurrentPrincipal.Identity is actually a WindowsIdentity instance, and in the context in which you're running you've got restricted permissions, the constructed ClaimsIdentity instance will have IsAuthenticated as false.
这篇关于Thread.CurrentPrincipal已认证,但ClaimsPrincipal.Current未认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
