Unable to implement a custom Identity from Csla.Security.CslaIdentity due to Serialization Error

[ronnymgm]

Hi, I'm having this error and I don't know what I'm missing or if this is actually an issue.

I have a simple .Net MVC application executing a service using the HttpPortal.
If I set the Csla.ApplicationContext.User with my custom Identity class, it fails to serialize with error: Unable to read beyond the end of the stream. But only if the Roles collection holds something, when the collection is null the serialization is successful.

Please check my code below.. and let me know your thoughts.

`
Csla.ApplicationContext.User = new Csla.Security.CslaClaimsPrincipal(new SimpleIdentity());

[Serializable]
public class SimpleIdentity : Csla.Security.CslaIdentity
{
public SimpleIdentity()
{
Roles = new MobileList();
Roles.Add("test");
}
}
`

MVCWebTest.zip

[rockfordlhotka]

First, this is a poor strategy, because going forward ASP.NET Core and later require the use of ClaimsPrincipal and ClaimsIdentity, and you should switch to using those when possible.

Second, to create a custom identity type you should subclass CslaIdentityBase<T>, so you can add properties and behaviors to the subclass.

But really, everyone's strategy needs to be to shift from custom principal/identity types to the standard ClaimsPrincipal and ClaimsIdentity.

[rockfordlhotka]

Though looking back through the code, I'm probably a bit harsh on the "don't subclass CslaIdentity" statement. I haven't dealt with anything except the claims types for a long time, and my memory on the older stuff isn't super sharp 😳

You should be able to subclass CslaIdentity for the purpose of implementing a data portal fetch operation. That class is not designed to create an actual custom identity (with extra properties, etc.), but rather just to allow you to implement a custom data portal fetch method that runs on the server to load the object with data.

[ronnymgm]

Thanks, Rocky.
I'm going to use the standard .Net Claims classes as you suggest.
I just need to attach a few more properties to my Identity class.. but I think, I can achieve the same using special Claims.

Regarding the Csla.Security.CslaIdentity class, I noticed everything works with the Binary Serializer, but not with the Mobile.
I double-checked using the Csla.Core.ObjectCloner.

Thanks again.

[rockfordlhotka]

Recorded as bug: #1870

[ronnymgm]

Hi,
Looks like we have the same error using the Csla.Security.CslaClaimsPrincipal class with a standard ClaimsIdentity and the MobileFormatter.
ObjectCloner throws "System.IO.EndOfStreamException: 'Unable to read beyond the end of the stream" when the ClaimsIdentity includes some claims in the collection.

Test code adjusted as follows :
var claims = new Claim[] { new Claim(ClaimTypes.Name, "Test"), new Claim(ClaimTypes.Role, "Admin") };
var principal = new Csla.Security.CslaClaimsPrincipal(new ClaimsIdentity(claims,"Custom", ClaimTypes.Name, ClaimTypes.Role));
var clone = (Csla.Security.CslaClaimsPrincipal)Csla.Core.ObjectCloner.Clone(principal);

I think this can be more critical because this means the whole idea of using Claims classes is not working with the MobileFormatter.

[rockfordlhotka]

What version of CSLA are you using?

Current 5.3.x has code in MobileFormatter to properly serialize a ClaimsPrincipal. It does this by using a CslaClaimsPrincipal, which is really nothing more than a serializable wrapper around ClaimsPrincipal, because ClaimsPrincipal isn't actually serializable.

I'm pretty confident this works, because the current ProjectTracker app relies on ClaimsPrincipal and it works with MobileFormatter.

[rockfordlhotka]

Also, along with the CSLA version, what client tech are you using? Blazor has special requirements (for example).

[ronnymgm]

I'm referencing Csla Nuget Package 5.3.2.
The Project is a .Net Framework MVC App, .Net 4.7.2 .. vanilla.

I'm checking the ProjectTracker sample.. I don't actually see much difference with what I'm doing.

MVCWebClientServer.zip

In my sample actually I'm just passing the CslaClaimsPrincipal through the ObjectCloner and it fails.

The configuration file settings, maybe?

[rockfordlhotka]

Ahh, in .NET Framework CSLA still defaults to using BinaryFormatter, and ClaimsPrincipal is not serializable.

I put special behavior into MobileFormatter so it can serialize ClaimsPrincipal objects, but obviously I can't change the way Microsoft implements BinaryFormatter.

If you configure CSLA to use MobileFormatter as its primary serializer, then it should work.

[ronnymgm]

How can I change that?
I have this in my client and server configuration file.

<add key="CslaSerializationFormatter" value="MobileFormatter"/>

[ronnymgm]

I'm doing this also to ensure the MobileFormatter is use.
Csla.Configuration.ConfigurationManager.AppSettings["CslaSerializationFormatter"] = "MobileFormatter";

After some more testing, looks like the serialization issue is only reproducible in .Net Framework.
These same 5 lines of code serialize correctly in a .Net Core, but fail in .Net Framework

Csla.Configuration.ConfigurationManager.AppSettings["CslaSerializationFormatter"] = "MobileFormatter";
var identity = new ClaimsIdentity("Custom", ClaimTypes.Name, ClaimTypes.Role);
identity.AddClaim(new Claim(ClaimTypes.Name, "Test"));
var principal = new Csla.Security.CslaClaimsPrincipal(identity);
var cloneTest = (Csla.Security.CslaClaimsPrincipal)Csla.Core.ObjectCloner.Clone(principal); //This line throws Ex 

Because the MobileFormatter will serialize the principal in Csla.ApplicationContext.User, because is part of the Context... So I cannot set a claims principal here.

[ronnymgm]

Same .. result using the standard Claims Principal class.
It works in Net Core but fails in Net Framework.

/**ClaimsPrincipal Mobile Formatter Serialization Test **/
Csla.Configuration.ConfigurationManager.AppSettings["CslaSerializationFormatter"] = "MobileFormatter";
var identity = new ClaimsIdentity("Custom", ClaimTypes.Name, ClaimTypes.Role);
identity.AddClaim(new Claim(ClaimTypes.Name, "Test"));
var principal = new ClaimsPrincipal(identity);
var cloneTest = (ClaimsPrincipal)Csla.Core.ObjectCloner.Clone(principal); //This line Throws Ex

I think the test is valid.. because I see ObjectCloner is what is in use to Unit Test serialization in the Csla source code.

[rockfordlhotka]

That's a good clue, thank you!

The MobileFormatter triggers off the type of ClaimsPrincipal, and perhaps the netstandard type doesn't match the .NET Framework type. If so, then arrrgggg!

[rockfordlhotka]

Or, this could be a bug in the .NET Framework itself.

This code - which has nothing to do with CSLA at all - pure .NET code - fails on .NET Framework 😢

using System;
using System.Security.Claims;

namespace ClaimsSerializationFx
{
  class Program
  {
    static void Main(string[] args)
    {
      var identity = new ClaimsIdentity("Custom", ClaimTypes.Name, ClaimTypes.Role);
      identity.AddClaim(new Claim(ClaimTypes.Name, "Test"));
      var principal = new ClaimsPrincipal(identity);
      byte[] data;
      using (var buffer = new System.IO.MemoryStream())
      {
        using (var writer = new System.IO.BinaryWriter(buffer))
        {
          principal.WriteTo(writer);
          data = buffer.ToArray();
        }
      }
      using (var buffer = new System.IO.MemoryStream(data))
      {
        using (var reader = new System.IO.BinaryReader(buffer))
        {
          object mobile = new ClaimsPrincipal(reader);
        }
      }

      Console.WriteLine("done");
    }
  }
}

[rockfordlhotka]

I guess this is a hint from Microsoft that .NET Framework is end of life?

Seriously thought, one must assume that Microsoft will fix this (once they become aware of the bug), but that wont' happen until .NET Framework 4.8.x at some point in the future.

(though I suppose they may not fix it, as this is a bug, not a security issue or platform compatibility issue, so maybe this is permanent?)

In the meantime, any workaround at this point must require manually pulling apart properties from the principal and identity objects, putting them into a byte stream, and then reassembling them into a principal/identity pair on deserialization. I suspect this might be possible - at least manually pulling out the claims from the identity and putting them into a serializable list (like Csla.Core.MobileList<string>).

Thoughts are welcome.

[rockfordlhotka]

@ronnymgm it is now clear that this is a bug in the .NET Framework where the ClaimsPrincipal type doesn't properly deserialize itself based on the byte stream it creates.

I see the following options for you:

1. Report this bug to Microsoft and wait for a potential fix in a future 4.8.x release
2. Move your codebase to .NET Core or .NET 5, where this bug doesn't exist
3. Contribute a custom serialization solution so MobileFormatter can work around this issue - presumably by manually pulling the properties/data from ClaimsPrincipal and ClaimsIdentity into a byte stream, and then putting the values into a new principal/identity pair

[ronnymgm]

Hi Rocky.
Thanks for all your support.

I can try options 1 and 3.
Option 2 is hard because we have a huge codebase in .Net Framework in 4.7.
Actually, all this effort is trying to upgrade from Csla (4.11 wcf ) to (5.3 http), but it's being bumpy with a lot of serialization issues.

Do you have the direct link where I can report this to the .net framework team ?

Thanks.

[rockfordlhotka]

Straight from the source:

https://github.com/microsoft/dotnet

[rockfordlhotka]

Realistically though, I think option 3 is your only viable approach, because it might take months to get a 4.8.x update that fixes this bug, and I suspect you can't wait that long.

I'm happy to accept a contribution that provides a solution, and am also happy to work with you in terms of how such a thing might work.

[rockfordlhotka]

I have entered an item in the backlog to track any possible work in this area: #1877

[ronnymgm]

Step 1 completed : #1264

Let's see what workaround/fix can we implement in our project that can be used here.
I will keep you posted.

Thanks.