This humble static property of the Thread class is central to the way role-based security works in the .NET Framework, as I show in Item 34. It's used as a simple channel for communicating client identity and authorization information from plumbing to application developers. (Authentication is tricky, so we let frameworks like ASP.NET do this heavy lifting for us, and then we look for the results via this property.) Think of Thread.CurrentPrincipal as simply a hook that each thread exposes on which we can hang a user identity. It's just extra context information that the runtime helps us track.

I gave a security talk at Tech Ed 2003 in Dallas, and while I was there, a training company asked me to post ...