Geek Answers Handbook

Should the default overridden member provider OnValidatingPassword be overridden in user implementations?

I am working on implementing a custom membership provider for my .net application. I have configured the configuration for the minimum number of characters and non-alphanumeric characters, but it seems to pass passwords anyway, even when they break the rules.

OnValidatingPassword is a virtual method. An example from Microsoft does not cancel this method.

This question copes with the same problem, but the author refused to answer his question and simply tried this function. This one answers that there is no need to redefine the function for it to work.

Does the basic function work? When I override OnValidatePassword and just call the base class, my function hits, but it never rejects my passwords that are too simple.

Sample code (using the CreateUser special function)

protected override void OnValidatingPassword(ValidatePasswordEventArgs e) { base.OnValidatingPassword(e); } // // MembershipProvider.CreateUser // public MembershipUser CreateUser(string username, string password, string globalIdentifier, string firstName, string lastName, string birthDate, object providerUserKey, out MembershipCreateStatus status) { ValidatePasswordEventArgs args = new ValidatePasswordEventArgs(username, password, true); OnValidatingPassword(args); if (args.Cancel) { status = MembershipCreateStatus.InvalidPassword; return null; }
+7
source share
1 answer

The documentation for MembershipProvider.OnValidatingPassword only states that it raises the ValidatingPassword event if the handler is registered, and not that it actually verifies the password.

A search in Reflector confirms this:

 protected virtual void OnValidatingPassword(ValidatePasswordEventArgs e) { if (this._EventHandler != null) { this._EventHandler(this, e); } }

This is confusing, but I believe the intention is that it provides a hook for external logic to participate in password verification; A user provider will still have to write its own validation logic.

If you look at the source code for the SQL Membership Provider (download Provider Toolkit Examples> , you will see that it includes logic to verify the password and also calls OnValidatingPassword . The following code applies to the CreateUser method:

 if( password.Length < MinRequiredPasswordLength ) { status = MembershipCreateStatus.InvalidPassword; return null; } int count = 0; for( int i = 0; i < password.Length; i++ ) { if( !char.IsLetterOrDigit( password, i ) ) { count++; } } if( count < MinRequiredNonAlphanumericCharacters ) { status = MembershipCreateStatus.InvalidPassword; return null; } if( PasswordStrengthRegularExpression.Length > 0 ) { if( !Regex.IsMatch( password, PasswordStrengthRegularExpression ) ) { status = MembershipCreateStatus.InvalidPassword; return null; } } ValidatePasswordEventArgs e = new ValidatePasswordEventArgs( username, password, true ); OnValidatingPassword( e ); if( e.Cancel ) { status = MembershipCreateStatus.InvalidPassword; return null; }

Edit

I think part of the confusion is based on the name OnValidatingPassword and that this seems to imply that it handles password verification, rather than raising an event so that other code checks the password. For what it's worth, I understand the confusion - it would probably be clearer if this method were called RaiseValidatingPasswordEvent .

In any case, you can check the Event Design rules for .NET 4. About halfway down you will find the following:

Use a secure virtual method to enhance each event.

The name of the protected virtual method must be the same as the name of the event with the On prefix. For example, a secure virtual method for an event named "TimeChanged" is called "OnTimeChanged".

+6
source

More articles:


All Articles