Basic Auth: recommended technique?

Topics: Web Api
Nov 14, 2011 at 2:28 PM
Edited Nov 14, 2011 at 7:27 PM

I was reviewing different techniques for doing Basic Authentication with WCF Web API

I was doing some testing and I am trying to determine the "recommended technique" for finding out the current user.

My setup: VS 2010 (running as admin), WCF Web API Preview 5 with IIS Express Configured for Basic Authentication
Here is the important bits from my web.config
    <validation validateIntegratedModeConfiguration="false" />
    <modules runAllManagedModulesForAllRequests="true" />
        <basicAuthentication enabled="true" />
        <anonymousAuthentication enabled="false"/>
        <windowsAuthentication enabled="false" />

I read Pedro Felix's blog ( where he talks about parsing and validating the basic token by hand. This seemed like it was too much work, and I continued searching for an easier way.

Next I read Phil Haack's article, where he started by getting the users identity from HttpContext.Current, then changed to Thread.CurrentPrincipal

This sounded like a good idea.

After implementing his "AuthOperationHandler" put the following code in the OnHandle method so I can see what was going on:
        protected override HttpRequestMessage OnHandle(HttpRequestMessage input)
            var uid1 = System.Web.HttpContext.Current.User.Identity;
            var uid2 = Thread.CurrentPrincipal.Identity;
            var uid3 = WindowsIdentity.GetCurrent();

When I set a break point the uid1 (HttpContext) and uid3 (current WindowsIdentity) values are populated correctly, however the uid2 (Thread Principal) value is NULL. From reading the comments on Phils blog it doesn't sound like folks like the HttpContext very much.

So I continued, digging and found the following:
            var smp = input.Properties["Security"] as SecurityMessageProperty;

I would assume that getting the value directly from the HttpRequestMessage (i.e. the smp variable) would be preferable, on the other hand this only works when we have a HttpRequestMessage, but the WindowsIdentity.GetCurrent will work anywhere. Since I haven’t seen any chatter about it here, I thought I would bounce this idea off the community, and get some feedback. :)

Dec 30, 2011 at 3:22 AM
Edited Dec 30, 2011 at 5:14 AM


Still wondering what the best way is to set the Principal after authenticating the credentials...


After scouring the forum, it looks like sticking the Principal into the HttpRequestMessage.Properties dictionary for subsequent extraction/injection via OperationHandler is the preferred technique.

Glenn and crew, can you please confirm?