logging/#543 Clear HttpContext.User when the user is disposed.

This commit is contained in:
Chris Ross (ASP.NET) 2017-09-19 15:55:14 -07:00
parent 1297798546
commit 1e1e89b457
1 changed files with 15 additions and 1 deletions

View File

@ -1,4 +1,4 @@
// Copyright (c) .NET Foundation. All rights reserved. // Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System; using System;
@ -15,6 +15,7 @@ namespace Microsoft.AspNetCore.Server.IISIntegration
internal class AuthenticationHandler : IAuthenticationHandler internal class AuthenticationHandler : IAuthenticationHandler
{ {
private const string MSAspNetCoreWinAuthToken = "MS-ASPNETCORE-WINAUTHTOKEN"; private const string MSAspNetCoreWinAuthToken = "MS-ASPNETCORE-WINAUTHTOKEN";
private static readonly Func<object, Task> ClearUserDelegate = ClearUser;
private WindowsPrincipal _user; private WindowsPrincipal _user;
private HttpContext _context; private HttpContext _context;
@ -51,6 +52,9 @@ namespace Microsoft.AspNetCore.Server.IISIntegration
NativeMethods.CloseHandle(handle); NativeMethods.CloseHandle(handle);
_context.Response.RegisterForDispose(winIdentity); _context.Response.RegisterForDispose(winIdentity);
// We don't want loggers accessing a disposed identity.
// https://github.com/aspnet/Logging/issues/543#issuecomment-321907828
_context.Response.OnCompleted(ClearUserDelegate, _context);
_user = new WindowsPrincipal(winIdentity); _user = new WindowsPrincipal(winIdentity);
} }
} }
@ -58,6 +62,16 @@ namespace Microsoft.AspNetCore.Server.IISIntegration
return _user; return _user;
} }
private static Task ClearUser(object arg)
{
var context = (HttpContext)arg;
if (context.User is WindowsPrincipal)
{
context.User = null;
}
return Task.CompletedTask;
}
public Task ChallengeAsync(AuthenticationProperties properties) public Task ChallengeAsync(AuthenticationProperties properties)
{ {
// We would normally set the www-authenticate header here, but IIS does that for us. // We would normally set the www-authenticate header here, but IIS does that for us.