RE: Send custom IPrincipal object from client to WCF service - Possibl

Keep in mind that you shouldn't base any security decisions on information originating from the client - the client is basically untrusted. Can't you re-create the information you need based on the authenticated principal?

Dominick Baier (

Developing More Secure Microsoft ASP.NET 2.0 Applications (

Hello James,

Thanks for your response.

What we ended up doing is kinda like that. We custom serialize our
IPrincipal object, stuff it in the message header, then extract and
recreate our object at the server within the Evaulate method.

We found now way to directly send a custom IPrincipal object created
at the client, directly thru the server. Every sample we saw built
the object at the server with only say a 'windows' account or
user/pass pair passed in.

Doing it the way we did, we were able to keep all of the information
we had stuffed in the custom object when we created it on the client

Thanks again.

"aiKeith" wrote:

We are trying to do something that doesnt appear to be possible.

Simply this:

We create a IPrincipal object on the client based on a custom class
that holds info we need for auditing (ip, workstation_name, etc)

What we want to do is somehow pass this IPrincipal object to WCF when
we access it. This is necessary so we can get the auditing info,

Why is it that it only appears you can create the Principal object at
the server based on a Windows Account or ClientCredeintials --
neither of which will work for us because even if we persisted the
IPrincipal object in a db, we couldnt be sure of reconstructing the
same object at the server - that is if the same user account was
logged into 2 different machines.

Any help would be extremely appreciated.