I am attempting to rework the AccountController in the MVC4 default template so it uses CSLA rather than SimpleMembership because SimpleMembership didn't meet my requirements.
I am replacing the command-based architecture with CSLA business objects. Right now I am working with the UserRegister business object, which codifies the Register User scenario.
However, I have run into a snag in that I want to validate that the user entered a password and a confirm password field that matches, but I don't want to send these two values to the DataPortal (there is a business rule attached to these properties that automatically fills in PasswordHash and PasswordSalt properties when a password is entered).
I don't want to encrypt the connection or the channel to the dataportal - I just want to ensure that the password values are not in the request at all. So, what is the best approach to achieve this?
Clarification: If the DataPortal is running on the client, there is no issue - I just want to eliminate these values from the serialization stream if they are sent across the network. At the same time, I want to ensure validation still passes. Note that I also want to use the real password value for the login scenario that is executed in the same request, so I will also need client-side (controller) access to the password value.
I am using MVC4, .NET 4.5, and CSLA 4.5.20.
Hi,
You could change the password property to private backing field and add NonSerialized attribute to the backing field.
I thought of that, but I couldn't find any examples in the CSLA 4 book that show how to make a property with a private backing field that also has a static accessor property so the validation and hashing rules can run on it. Can you show me just how that would be done?
Csla 4 ships with a set of snippets and templates. See the Csla Cheat Sheet here http://www.lhotka.net/files/csla40/CSLA4CheatSheet.pdf
The snippet you want is cslapropp
Here is how the property should be defined:
public static readonly PropertyInfo<string> PasswordProperty =
RegisterProperty<string>(c => c.Password, RelationshipTypes.PrivateField); [NonSerialized] private string _password = PasswordProperty.DefaultValue; public string Password { get { return GetProperty(PasswordProperty, _password); } set { SetProperty(PasswordProperty, ref _password, value); } }
You beat me to it. I found the same answer it on page 35 of the "Objects" ebook. I have confirmed it does not send the password value to the DataPortal - not even if it is running on the client.
Copyright (c) Marimer LLC