Re: validating security token when only username is specified

Another inconsistency is you can, in fact, send a " " space when the
password type is SendHashed and the Authenticator will be called. Empty
string should probably be allowed across the logic on both sides to at least
make things consistent.

--
William Stacey [MVP]

"William Stacey [MVP]" <staceywREMOVE@xxxxxxxx> wrote in message
news:evOLeTabFHA.228@xxxxxxxxxxxxxxxxxxxxxxx
> You will notice you can set a null or "" empty pw in UT constructor.
> However you can pass a " " space or spaces. It appears, however, that the
> either the server side or client side does a Trim() on the SendPlainText
> pw (not sure which). However, it is clear that the server side conciders
> empty password string to be invalid and does not attempt to start the
> Authenticator. This was probably a security concern. Naturally, you have
> to wonder what the point of a empty password is to begin with. However,
> Windows accounts allow an empty password, so one would think it should
> work the same way for WSE. Moreover, not sure the Trim() behavior is
> correct here as I may indeed what to have leading/trailing spaces in a
> password for some reason. As a workaround, if the client password is
> really "" empty, then pass something like "Empty" instead (or some other
> const string that both sides agree on).
>
> --
> William Stacey [MVP]
>
> "MAHESH MANDHARE" <mahesh_dotnetinfo@xxxxxxxxxxx> wrote in message
> news:8806AF1F-AF59-4A10-8ECF-EC31E8C9747B@xxxxxxxxxxxxxxxx
>> Hi,
>> I am using Custom UsernameTokenManager class in my project
>> i have overridden authenticatetoken method in username tokenmanager class
>> and configured this custom tokenmanager in web.config
>> but when i do not send password in username token. it doesn't call
>> authenticate method.so i need to take Soapcontext to check for username
>> token and hence has to do this at the start of every method.
>>
>> i want to know is there any way to validate security token in custom
>> token
>> manager only when only username is specified.
>> when only username is specified wse skips authenticatetoken method
>>
>> I am using wse2.0(Sp3).
>>
>> --
>> Have A Good Day,
>> Mahesh,
>> Maheshmandhare@xxxxxxxxxxx
>
>


.

Relevant Pages

  • Re: Getting Windows-Username from IE???
    ... I still tried that and all I got was an empty string... ... >> Username of the calling client from the IE. ... >> String (Mozilla compatible, Win NT5, etc.) ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: validating security token when only username is specified
    ... to wonder what the point of a empty password is to begin with. ... not sure the Trim() behavior is correct ... > i have overridden authenticatetoken method in username tokenmanager class ... > but when i do not send password in username token. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: Run Advertised Programs is empty
    ... the SID, not the username, but any special characters in this username? ... Also I have found that when this troubling account logs in there are errors ... Is it a clew that Add New Programs also is empty? ... The other machine he logs in to is also in the collection. ...
    (microsoft.public.sms.misc)
  • Re: Session problems
    ... according to phpinfo() register globals is on. ... The username value is retrieved with: ... the same code above, it is not empty. ...
    (comp.lang.php)
  • Re: Session problems
    ... > addition to a mysql database is made a field, which is the user who made ... The username value is retrieved with: ... it is not empty. ... Regards, ...
    (comp.lang.php)