IISExpress是单线程的吗？ [英] Is IISExpress Single-Threaded?

问题描述

由于我们跨越了许多界限-网络，API，批处理等，因此我正在编写一个利用Claims来确保安全的自定义.Net应用。在开发过程中，有时会在通过Chrome登录时在系统中创建一些内容，然后通过Edge中的其他帐户以及 HttpContext.Current来测试新创建的项目。 User.Identity 对应于我的Chrome会话。我确实在后台设置了 Thread.CurrentPrincipal ，但是我的理解一直是，所有进入IIS的请求都会产生一个新线程，因此我无法弄清楚Edge请求的原因正在处理，好像它们是Chrome请求一样。

I am in the process of writing a custom .Net app that utilizes Claims for security, since we're crossing many boundaries - web, API, batch processing and so on. During development, there are occasions where I'll create something in the system while logged in via Chrome and then I'll go to test the newly created item via a different account in Edge and somehow HttpContext.Current.User.Identity corresponds to my Chrome session. I do set Thread.CurrentPrincipal behind the scenes, but my understanding has always been that all requests into IIS spawn a new thread, so I can't figure out why the Edge requests are being processed as if they are the Chrome requests.

由于Visual Studio处于调试模式，是否有可能共享此信息？

Is it possible that it's sharing this information because Visual Studio is in debug mode?

推荐答案

是的，IIS（以及IISExpress，即以应用程序格式打包的IISExpress）是多线程的。但是，您做出了一些错误的假设。

Yes, IIS (and thus IISExpress, which is IIS packaged in an "application" format) is multi-threaded. However, you have made some incorrect assumptions.

首先，没有。新请求不会产生新线程，而是在线程池线程上运行，并且在前一个请求完成后（或者您将在稍后看到异步请求等待），这些线程池将被重用。

First, no. A new request does NOT spawn a new thread, it runs on a thread pool thread, and these thread pools are re-used after the previous request finishes (or, as you'll see in a minute, when an async request waits).

第二，您不应该设置 Thread.CurrentPrincipal ，因为IIS不仅是多线程的，而且是异步的。这意味着，如果您的线程等待，则在恢复时它可能正在与启动时所在的线程不同的线程上运行。

Second, you should NOT set Thread.CurrentPrincipal, because not only is IIS multi-threaded, it's asynchronous. This means that if your thread waits, when it resumes it might be running on a different thread than the thread it started on.

第三， Thread .CurrentPrincipal 通常是工作进程（或AppPool）标识的标识，更改此标识将更改整个线程在其下运行的安全上下文。更好的选择是使用 WindowsImpersonationContext 类进行模拟（这是我假设您要尝试的方式）。

Third, Thread.CurrentPrincipal is typically the identity of the worker process (or AppPool) identity, changing this changes the security context the entire thread runs under. A much better option is to use the WindowsImpersonationContext class to do impersonation (which is what I assume you're trying to do).

WindowsIdentity clientId = (WindowsIdentity)User.Identity;

// When 'using' block ends, the thread reverts back to previous Windows identity,
// because under the hood WindowsImpersonationContext.Undo() is called by Dispose()
using (WindowsImpersonationContext wic = clientId.Impersonate())
{
    // do your work that needs the identity
}

如果确实需要设置自定义主体，则通常应使用 HttpContext.Current.User 而不是Thread。 CurrentPrincipal。

If you do need to set a custom principal you should usually be using HttpContext.Current.User rather than Thread.CurrentPrincipal.

这篇关于IISExpress是单线程的吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！