Is role based security in WCF dependent on the Instance Mode?

Question

We are using UserNamePasswordValidator and an IAuthorizationPolicy to load custom role data into an IPrincipal object for authentication and some business level rights on our server side.

Thus, we are using Thread.CurrentPrincipal inside our service operations to test rights etc. At the risk of getting more technical than I should, this is a static property on the Thread class which means that it has instance scope global scpope (duh, thanks Thilak). Should I change my InstanceContextMode in future for performance reasons to Single, this scheme will surely break? I am aware that Single requires you to write thread-safe code so in itself isn't just a config change.

Would you also please share any links to authoritative texts on exactly what kind of instance load WCF should be able to handle before I need to concern myself with this problem?

Answer 1

Here's a link

http://msdn.microsoft.com/en-us/magazine/cc948343.aspx

Here's my 2 cents:

Thread.CurrentPrincipal is static. Which means it has global scope not instance scope. However, it also happens to have thread affinity ... i.e. The property is marked [ThreadStatic] ... which means it has global scope, only for the current thread. And that's excellent news in your scenario, because your code using Thread.CurrentPrincipal shouldn't need to change whether youre on singleton mode or not.

p.s. Do check on the Thread context that IAuthorizationPolicy runs in. I do distinctly recall pain points with setting the Thread.CurrentPrincipal in some crazy, injected, security policy in the past. Make sure your The thread running in your IAuthorizationPolicy is the same thread your Service methods are invoked on.