Re: validating security token when only username is specified

You will notice you can set a null or "" empty pw in UT constructor.
However you can pass a " " space or spaces. It appears, however, that the
either the server side or client side does a Trim() on the SendPlainText pw
(not sure which). However, it is clear that the server side conciders empty
password string to be invalid and does not attempt to start the
Authenticator. This was probably a security concern. Naturally, you have
to wonder what the point of a empty password is to begin with. However,
Windows accounts allow an empty password, so one would think it should work
the same way for WSE. Moreover, not sure the Trim() behavior is correct
here as I may indeed what to have leading/trailing spaces in a password for
some reason. As a workaround, if the client password is really "" empty,
then pass something like "Empty" instead (or some other const string that
both sides agree on).

--
William Stacey [MVP]

"MAHESH MANDHARE" <mahesh_dotnetinfo@xxxxxxxxxxx> wrote in message
news:8806AF1F-AF59-4A10-8ECF-EC31E8C9747B@xxxxxxxxxxxxxxxx
> Hi,
> I am using Custom UsernameTokenManager class in my project
> i have overridden authenticatetoken method in username tokenmanager class
> and configured this custom tokenmanager in web.config
> but when i do not send password in username token. it doesn't call
> authenticate method.so i need to take Soapcontext to check for username
> token and hence has to do this at the start of every method.
>
> i want to know is there any way to validate security token in custom token
> manager only when only username is specified.
> when only username is specified wse skips authenticatetoken method
>
> I am using wse2.0(Sp3).
>
> --
> Have A Good Day,
> Mahesh,
> Maheshmandhare@xxxxxxxxxxx


.

Relevant Pages

  • Re: validating security token when only username is specified
    ... password type is SendHashed and the Authenticator will be called. ... string should probably be allowed across the logic on both sides to at least ... > You will notice you can set a null or "" empty pw in UT constructor. ... >> but when i do not send password in username token. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: Run Advertised Programs is empty
    ... the SID, not the username, but any special characters in this username? ... Also I have found that when this troubling account logs in there are errors ... Is it a clew that Add New Programs also is empty? ... The other machine he logs in to is also in the collection. ...
    (microsoft.public.sms.misc)
  • Re: Session problems
    ... according to phpinfo() register globals is on. ... The username value is retrieved with: ... the same code above, it is not empty. ...
    (comp.lang.php)
  • Re: Session problems
    ... > addition to a mysql database is made a field, which is the user who made ... The username value is retrieved with: ... it is not empty. ... Regards, ...
    (comp.lang.php)
  • Cutting a longneck frame
    ... up empty so here I am. I'm curious to know how to trim my longneck frame ... Posted Via Usenet.com Premium Usenet Newsgroup Services ...
    (rec.sport.unicycling)