WCF AuthorizationContext not cleared between calls from different clients. (was: When does a WCF service session actually end?)

Question

I was doing some unit testing, and ran into an interesting problem in WCF. I have a service using the wsHttpBinding, configured as such:

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpUnsecured">
      <security mode="None">
        <transport clientCredentialType="None" />
        <message clientCredentialType="None" />
      </security>
    </binding>
  </wsHttpBinding>

The implementation of the service is:

public void DoWork()
{
    OperationContext o = OperationContext.Current;
    if (o == null) return;

    if (o.ServiceSecurityContext.AuthorizationContext.Properties.ContainsKey("x"))
        throw new ApplicationException();

    o.ServiceSecurityContext.AuthorizationContext.Properties.Add("x", "x");
}

All it is doing here is checking the operation context, and if there is not an "X" in the AuthorizationContext, then add one. If there was already an "X", then exception out. (this is set up strictly as a simple test. in normal use, this would be happening in a custom AuthorizationManager and Token Authenticator).

So basically, if we call the method more than once within the same operationContext and AuthorizationContext, then we will see an exception.

Now, here is my test fixture.

    [Test]
    public void CallTwice()
    {
        using (var cli1 = new TestBusinessClient())
        {
            cli1.DoWork();
            cli1.Close();
        }
        using (var cli2 = new TestBusinessClient())
        {
            cli2.DoWork();
            cli2.Close();
        }
    }

So walking through what happens at runtime:

A new TestBusinessClient is created.
It makes a call to DoWork().
DoWork() does not find "X" in the AuthorizationContext.Properties.
DoWork() adds "X" to the AuthorizationContext.Properties.
The test method disposes of the first client.
A new second TestBusinessClient is created.
It makes a call to DoWork().
DoWork() does find "X" still in the properties from the last call.
DoWork() throws an exception.

So my question is; why is the OperationContext and AuthorizationContext not killed off when a new client connects to the same service? I do understand that wsHttpBinding by default uses a session context between the calls, but I would think that session would be per client. I expected the WCF session, and therefore its contexts, to all renew when I connect with a new instance of a client.

Anyone have any thoughts or ideas? The desired result here is for AuthorizationContext.Properties to be reset between the two calls to DoWork() by the two separate clients.

Update 1

I tried setting the service PerCall and PerSession, and neither made a difference.

I also tried the service with reliable messaging on and off, and neither changed anything.

I also saved off my operationContext at the first call and the second call, and compared the two:

OperationContext first; // context from first call to DoWork()
OperationContext second; // context from second call to DoWork() 

(first == second) = false
(first.ServiceSecurityContext == second.ServiceSecurityContext) = false
(first.ServiceSecurityContext.AuthorizationContext == second.ServiceSecurityContext.AuthorizationContext) = true

So it kind of looks like the operation context is changed / recreated, but something is setting the same AuthorizationContext on each subsequent service call.

Update 2

Here is all the server-side stuff:

[ServiceContract]
public interface ITestBusiness
{
    [OperationContract(Action = "*", ReplyAction = "*")]
    string DoWork();
}

public class TestBusiness : ITestBusiness
{
    public string DoWork()
    {
        System.ServiceModel.OperationContext o = System.ServiceModel.OperationContext.Current;
        if (o != null)
        {
            if (o.ServiceSecurityContext.AuthorizationContext.Properties.ContainsKey("x"))
                throw new ApplicationException();
            else
                o.ServiceSecurityContext.AuthorizationContext.Properties.Add("x", "x");
        }
    }
    return "";
}

As a sanity check, I did the following:

Start an instance of the WCF server (using Cassini / integrated VS 2008 server).
Reduce the test fixture to only 1 call to DoWork().
Run the test from TestDriven.NET within VS 2008.
Open the same test .dll from NUnit's standalone GUI tool, and run it.

The first test run passes, and the second fails. So it seems this is purely server side, as running the same service call from 2 different processes ends up with the same AuthorizationContext.

I'm starting to wonder if maybe something internal to WCF is still stuck on WindowsAuthentication and reusing the same Auth Context since I'm logged into the same domain with the same user name? My service is set to use a custom AuthorizationManager:

        <serviceBehaviors>
            <behavior name="myBehavior">
                <serviceMetadata httpGetEnabled="false"  />
                <serviceDebug includeExceptionDetailInFaults="true" />
                <serviceAuthorization principalPermissionMode="Custom" serviceAuthorizationManagerType="My.Namespace.CustomAuthMgr" />
            </behavior>

Where My.Namespace.CustomAuthMgr extends ServiceAuthorizationManager. If I set a breakpoint in CustomAuthMgr.CheckAccess(), then on the first call, operationContext.ServiceSecurityContext.AuthorizationContext is clear, and on the second call, it contains whatever I put in it from the previous call. This is the first method of my own code that is executed by WCF, so something before the Authorization phase is reloading my AuthorizationContext.

Update 3

Some added info: In order to validate some things, I changes my service implementation to no longer throw an exception, and instead return a counter of the number of times called, plus the current thread ID:

    public string DoWork()
    {
        var o = System.ServiceModel.OperationContext.Current.ServiceSecurityContext.AuthorizationContext;
        if (o != null)
        {
            if (o.Properties.ContainsKey("x"))
                o.Properties["x"] = (int)o.Properties["x"] + 1;
            else
                o.Properties.Add("x", 1);
        }

        return o.Properties["x"].ToString() + " | " + System.AppDomain.GetCurrentThreadId().ToString();
    }

Then running the test once from NUnit GUI results in:

1 | 3816

I then close the NUnit GUI, restart it, and run the test again:

2 | 3816

I then close the NUnit GUI again, and run the test from TestDriven.NET within Visual Studio:

3 | 3816

So its definitely persisting my AuthorizationContext between client processes, but the same thread handles each service call, so maybe AuthorizationContext is just Thread-static or something?

Nope, it has nothing to do with the thread. I added a Thread.Sleep(10000); to the service implementation, then ran 2 NUnit GUIs at once, and each one printed out "2" but with different thread IDs:

2 | 5500
2 | 5764

So AuthorizationContext is being persisted across threads too. Nifty.

Can you show us the service contract (server side) and the implementation of the service (just the class definition with any attributes it might have) — marc_s, Jul 27 '09 at 19:17
It's been a few years since your question, but did you find a solution? After days of debugging, I see I have the exact same issue, in my CustomAuthMgr.CheckAccess() I see that the OperationContext is unique, but the AuthorizationContext ger reused. This cause requests to be executed on the wrong session and cause a severe security issue in my service. Any feedback on how (if) you solved your issue would be appreciated. — Dunge, Dec 10 '19 at 15:59

score 1 · Answer 1 · answered Jul 27 '09 at 18:39

1

That really depends on how you are defining session and client. If you are making two calls from the same process, there is every possibility that the WCF communication layer is multiplexing them down the same connection.

Have you actually tried to run two connects from entirely different processes? Do you achieve the same results?

answered Jul 27 '09 at 18:39

Christopher

8,815
2
32
41

I tried starting the service (in Cassini / VS 2008 integrated web server), then running the unit test once, which passes, and closes the nunit session. Then ran the unit test a 2nd time, and it fails. I ran these 2 back to back with TestDriven.NET within VS 2008. I then opened NUnit GUI tool (external to VS2008) loaded the same test .dll, and the test still failed, all running against the same server. So 3 test runs, from 2 different process chains, and only the 1st one to run passes. – CodingWithSpike Jul 27 '09 at 19:34
I am also surprised by your results. A good way to track this down might be to turn on security auditing in WCF. It's just a behavior your can attach to your service. The feault is AuditLevel.None, but if you turn it way up it might give you some more transparency about what is happening and when. – Christopher Jul 27 '09 at 20:18

score 1 · Answer 2 · answered Jul 27 '09 at 18:57

1

It depends on the configuration of your service, what value you choose for your SessionMode:

[ServiceContract(Namespace="http://Microsoft.ServiceModel.Samples", SessionMode=SessionMode.Required)]
public interface ICalculatorSession

http://msdn.microsoft.com/en-us/library/ms733040.aspx

http://msdn.microsoft.com/en-us/library/system.servicemodel.sessionmode.aspx

answered Jul 27 '09 at 18:57

Shiraz Bhaiji

64,065
34
143
252

I tried both SessionMode.NotAllowed and SessionMode.Required, with no difference. – CodingWithSpike Jul 27 '09 at 19:10
You need also to set InstanceContextMode this can be InstanceContextMode.PerSession / PerCall / single, the second link has some info on this. – Shiraz Bhaiji Jul 27 '09 at 19:42
I tried both PerSession and PerCall with no change in the result. As noted in my Update #2 above, I also started calling the service once from 2 different processes, and still the same result. – CodingWithSpike Jul 27 '09 at 19:58

marc_s · Answer 3 · 2009-07-27T19:16:16.317

1

WsHttp binding will by default run in session mode, since security is turned on by default. If you turn it off completely (as your config seems to show), it'll revert to per-call mode, unless your service contract specifically requires a session.

The session will last as long as none of the session timeouts have occured - you can define one on the server, and another one on the client, and the shorter one "wins". The easiest way to specify it is by adding the reliable messaging to the wsHttpBinding:

  <wsHttpBinding>
    <binding>
      <reliableSession inactivityTimeout="00:10:00"/>
    </binding>
  </wsHttpBinding>

Otherwise you'll have to do it in code or by defining your custom binding.

OR: you can also define certain methods on your service contract to be "terminating" methods, and if those have been called and terminate, the session will be destroyed as well.

[ServiceContract(SessionMode=SessionMode.Required)]
interface YourServiceContract
{
    [OperationContract(IsInitiating = true)]
    void InitMethod();

    [OperationContract]
    void WorkMethod()

    [OperationContract(IsTerminating=true)]
    void EndSessionMethod()
}

Here, calling the EndSessionMethod will terminate the session and no more calls can be made to the service on the particular proxy instance.

OR: an unhandled exception on the server side which is not caught and turned into a FaultException will also fault the channel and abort any session that might have been ongoing.

But as you point out - I, too, would have expected the entire session and all associated data to be discarded when the client proxy is disposed of, and recreated for a subsequent call. I'm a bit surprised by your findings....

Marc

edited Jul 27 '09 at 19:16

answered Jul 27 '09 at 19:09

marc_s

732,580
175
1,330
1,459

So, @marc_s: incorrectly using a "using" block as the OP did will not automatically end the session? – John Saunders Jul 27 '09 at 19:20
Well, that's what I would have expected, and the OP, too, but it seems it's not really disposing of the OperationContext and/or the AuthorizationContext on the server – marc_s Jul 27 '09 at 19:32
But I agree - while the `using` statement is normally a good idea, in WCF land, it can be a bit deceiving to think it works as usual - but that's advanced stuff already :-) – marc_s Jul 27 '09 at 19:37
sorry if the "using" block is confusing. In the "real world" (outside the simplicity of this test) my test clients all extend a custom base class that is IDisposable, and in that base class's Dispose, it makes sure that .Close() is called on the client, just incase other developers (other team members) forget to. It was basically my way of ensuring that .Close is always called on the clients. (Its also called in the GC finalizer, so the using block isnt even totally needed). – CodingWithSpike Jul 27 '09 at 20:01
Also note in my Update #2 above, I started calling the service from 2 separate processes on the same machine, and the same result on the server. – CodingWithSpike Jul 27 '09 at 20:03
Yes, the point with WCF client proxies is: since there is a chance that due to an error, the proxy will be faulted, it can throw an exception when the using() is trying to Dispose() it. While the using() is a good idea most of the times, here in WCF proxy land, it can lead to unexpected and unwanted side effects. – marc_s Jul 27 '09 at 21:13
Therefore, it's considered best practice to handle the proxy in your own explicit try...catch...finally block and check for conditions that would prevent you from properly closing the proxy, and in that case, call the .Abort() method on the proxy instead of the .Close() - you can't do that when you have the proxy use in a using() statement. – marc_s Jul 27 '09 at 21:15

score 0 · Answer 4 · answered Jul 28 '17 at 18:38

I have similar issue - I see that AuthorizationContext stays the same after each call.

I've noticed that in your config file you have

<serviceAuthorization principalPermissionMode="Custom" ....

Try to remove principalPermissionMode="Custom". At least in my case every new call comes with null AuthorizationContext.

WCF AuthorizationContext not cleared between calls from different clients. (was: When does a WCF service session actually end?)

4 Answers4