Passing authentication data via a host in the middle

Passing authentication data via a host in the middle

Old forum URL:

kboutsen posted on Thursday, April 01, 2010


the scenario I have is the following:

I basically have 2 host's running.

Host1: a Csla host that takes care of data handling, authenticating users,...

Host 2: a second host (no Csla host) that has a WCF REST interface (created with the WCF REST Starter Kit Preview 2). This WCF REST interface is used to do some easy things like getting a list of objects of type A. For example I can go to http://localhost/ListA to get a list of objects of type A. Internally it uses host 1 to get the data.

When I now connect with host 2 (via http://localhost/ListA) I want to be able to use the correct authorization rules that the logged in user has on the data. Therefor I need host 2 to be able to login on host 1 with the credentials given by the WCF REST headers (in these headers, the username/password that are valid for host 1 are given). But host 2 can't login with the given username/password, since the Principal object is stored in a static variable (Csla.ApplicationContext), making it not multi-threaded. How can host 2 get the data from host 1 with the given username/password?

Simplified it is this:

The problem I see is that host 2 cannot login on host 1, because of the shared principle object. Therefor it is not multi-threaded.

How can I solve this?


Kind regards,


RockfordLhotka replied on Thursday, April 01, 2010

ApplicationContext.User is stored differently on different platforms.

If I understand your question, you want a user to pass credentials in the HTTP header to host 2. You then want host 2 to use those credentials to authenticate with host 1.

Host 2 is running in ASP.NET, so ApplicationContext.User will be stored in HttpContext and so is per-thread (actually per-request, because ASP.NET can switch your code between threads, so real per-thread storage isn't safe in ASP.NET - which was the original reason I created ApplicationContext.User in 2004).

Copyright (c) Marimer LLC