安全，Thread.CurrentPrincipal中，和ConfigureAwait（假） [英] Security, Thread.CurrentPrincipal, and ConfigureAwait(false)

问题描述

请问使用Thread.CurrentPrincipal中的说法在使用ConfigureAwait（假）引用的库引起任何问题或执行上下文的逻辑调用上下文将流动照顾我呢？ （我的阅读和测试迄今表明，它会）。

Would using Thread.CurrentPrincipal's claims in a referenced library that uses ConfigureAwait(false) pose any problems or will the flowing of ExecutionContext's logical call context take care of me there? (my reading and testing so far indicates that it will).

例的WebAPI控制器动作：

Example WebAPI Controller Action:

[CustomAuthorizeThatSetsCurrentUsersClaimsToThreadCurrentContextAndHttpContextCurrentUser]
public async Task<Order> Get(int orderId)
{
    return await _orderBusinessLogicLibrary.LoadAsync(orderId); // defaults to .ConfigureAwait(true)
}

从外部引用的库实例负荷的功能：

Example load functions from external, referenced library:

[ClaimsPrincipalPermission(
    SecurityAction.Demand,
    Operation="Read",
    Resource="Orders")]
[ClaimsPrincipalPermission(
    SecurityAction.Demand,
    Operation="Read",
    Resource="OrderItems")]
public async Task<Order> Load(int orderId)
{
    var order = await _repository.LoadOrderAsync(orderId).ConfigureAwait(false);

    // here's the key line.. assuming this lower-level function is also imposing
    // security constraints in the same way this method does, would
    // Thread.CurrentPrincipal still be correct inside the function below?
    order.Items = await _repository.LoadOrderItemsAsync(orderId).ConfigureAwait(false);
    return order;
}

此外，答案不可能是好不要使用ConfigureAwait（假）呢！。这可能会导致其他问题，如死锁（的不要在异步code 块）。

推荐答案

从我的测试，似乎 Thread.CurrentPrincipal中将正常流动，即使你使用 ConfigureAwait（假）。下面的WebAPI $ C $账套本金，然后在一个异步调用阻塞，迫使的其他的线程恢复异步方法。其他线程做继承正确的主体。

From my tests, it appears that Thread.CurrentPrincipal will flow correctly, even if you use ConfigureAwait(false). The following WebAPI code sets the principal and then blocks on an async call, forcing another thread to resume the async method. That other thread does inherit the correct principal.

private async Task<string> Async()
{
    await Task.Delay(1000).ConfigureAwait(false);
    return "Thread " + Thread.CurrentThread.ManagedThreadId + ": " + Thread.CurrentPrincipal.Identity.Name + "\n";
}

public string Get(int id)
{
    var user = new ClaimsPrincipal(new ClaimsIdentity(
        new[]
        {
            new Claim(ClaimTypes.Name, "Bob"),
        }
    ));
    HttpContext.Current.User = user;
    Thread.CurrentPrincipal = user;

    var ret = "Thread " + Thread.CurrentThread.ManagedThreadId + ": " + Thread.CurrentPrincipal.Identity.Name + "\n";

    ret += Async().Result;

    return ret;
}

当我在IISEx preSS的新实例运行此code，我得到：

When I run this code on a new instance of IISExpress, I get:

"Thread 7: Bob\nThread 6: Bob\n"

不过，我要指出的是，使用 ConfigureAwait（假），不推荐以避免死锁。这是ASP.NET的情况尤其如此。如果可能的话，使用 ConfigureAwait（假）的也的使用异步一路。注意的WebAPI是一个完全 - 异步栈和您的应的能够做到这一点。

However, I should point out that using ConfigureAwait(false) to avoid deadlock is not recommended. This is especially true on ASP.NET. If at all possible, use ConfigureAwait(false) and also use async all the way. Note that WebAPI is a fully-async stack and you should be able to do this.

这篇关于安全，Thread.CurrentPrincipal中，和ConfigureAwait（假）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！