Setting the Identity/Principal from a MessageInspector in WCF

I am developing a WCF service that receives the user's credentials in the SOAP header. These credentials are read on the server side using a MessageInspector. So far so good.

I want to set the Thread.CurrentPrincipal to a custom principal (CustomPrincipal), but when I do this from the MessageInspector, it gets overridden by the time the service is invoked. When is the best time to set the principal? Also what is the best way to pass the principal, identi开发者_StackOverflow社区ty or credentials from the inspector to that location?

IIRC, to do this you need to set the principal permission mode to "custom" and use an authorization policy, like so. As far as I know, the call to IAuthorizationPolicy.Evaluate is the only place it is expecting you to set a principal, and when I tried this without using IAuthorizationPolicy it discarded my principal (which makes sense, since there is no guarantee that WCF will use the same thread at each point in the pipeline).

Rory has a post that describes a solution to this problem. http://www.neovolve.com/2008/04/07/wcf-security-getting-the-password-of-the-user/

Just a note, if you are hosting the WCF services within IIS, you can enable the aspnetcompatibility behavior for your service. In that case you can set HttpConext.Current.User to the user you just authenticated within your message inspector.