HttpServer captures Thread.CurrentPrincipal and restores it to this original value when finished handling a request. However, it is reset before the formatters have been asked to serialize their response.
Impact is low because only the formatters encounter this, and it unlikely they require the principal.
To reproduce this, write a custom message handler that sets Thread.CurrentPrincipal to some custom principal. Also write a custom media type formatter that accesses Thread.CurrentPrincipal in its WriteToStreamAsync() method.
Expected: Thread.CurrentPrincipal is the custom one set in message handler
Actual: Thread.CurrentPrincipal has been reset back to what it was when the request was received.
Comments: Use GetRequestContext().Principal instead of Thread.CurrentPrincipal. It does not get reset.
Impact is low because only the formatters encounter this, and it unlikely they require the principal.
To reproduce this, write a custom message handler that sets Thread.CurrentPrincipal to some custom principal. Also write a custom media type formatter that accesses Thread.CurrentPrincipal in its WriteToStreamAsync() method.
Expected: Thread.CurrentPrincipal is the custom one set in message handler
Actual: Thread.CurrentPrincipal has been reset back to what it was when the request was received.
Comments: Use GetRequestContext().Principal instead of Thread.CurrentPrincipal. It does not get reset.