All geek questions in one place

Can UserNamePasswordValidator throw anything except a MessageSecurityException?

I have a WCF service associated with UserNamePasswordValidator through my web.config, no problem. In my validator, I override Validate, validate credentials, and throw a FaultException if necessary.

Example:

public class CredentialValidator : UserNamePasswordValidator { public override void Validate(string userName, string password) { if (userName != "dummy") { throw new FaultException<AuthenticationFault>(new AuthenticationFault(), "Invalid credentials supplied"); } } }

If I myself use this service in a .NET application and provide invalid credentials, a MessageSecurityException is thrown with the following message:

"An unsecured or incorrectly protected error was received from the other side. See the internal FaultException for the error code and details."

The FaultException I expected was an InnerException of a MessageSecurityException.

Is there a way to get the client only a FaultException?

The MessageSecurityException is not particularly descriptive with respect to the true cause of the exception (a quick SO search gives a lot of problems, including time synchronization between the server and the client), and since a third party will use this service, I like to be as clear as possible.

+4
source share
3 answers

I had the same problem a few months ago, and after some research, I came to the conclusion that you can throw everything you want from the verification code, but the client will still receive a MessageSecurityException message that does not contain any useful information at all.

We had to let the client know what really happened - 1. incorrect username / password 2. The password has expired, a change is required 3. some other user-specific application-specific states

Thus, we changed the logic of the CredentialValidator so that it throws an exception only in case 1. In other cases, it would actually allow calling the real WCF method, but there we would also check the expiration of the password, etc., and in the case of some problems cause a FaultException to be thrown already from the method body.

In our case, this worked well, because only a service with this type of verification was connected to the service, so the client always knew why it was not authenticated.

+3
source

With a custom password, you can return a FaultCode that describes what is wrong:

 throw new FaultException("Invalid user name or bad password.", new FaultCode("BadUserNameOrPassword")); throw new FaultException("Password expired.", new FaultCode("PasswordExpired")); throw new FaultException("Internal service error.", new FaultCode("InternalError"));
+1
source

Throw an error as a MessageSecurityException with an internal exception as a FaultException

 public override void Validate(string userName, string password) { var isValid = ValidateUser(userName, password); if (!isValid) { throw new MessageSecurityException("Userid or Password is invalid", new FaultException("Userid or Password is invalid")); } }
0
source

Source: https://habr.com/ru/post/1387433/

More articles:


All Articles