Best approach to validation of sensitive values, but not transmitting them

Best approach to validation of sensitive values, but not transmitting them

Old forum URL: forums.lhotka.net/forums/t/11960.aspx


NightOwl888 posted on Saturday, April 27, 2013

I am attempting to rework the AccountController in the MVC4 default template so it uses CSLA rather than SimpleMembership because SimpleMembership didn't meet my requirements.

I am replacing the command-based architecture with CSLA business objects. Right now I am working with the UserRegister business object, which codifies the Register User scenario.

However, I have run into a snag in that I want to validate that the user entered a password and a confirm password field that matches, but I don't want to send these two values to the DataPortal (there is a business rule attached to these properties that automatically fills in PasswordHash and PasswordSalt properties when a password is entered).

I don't want to encrypt the connection or the channel to the dataportal - I just want to ensure that the password values are not in the request at all. So, what is the best approach to achieve this?

Clarification: If the DataPortal is running on the client, there is no issue - I just want to eliminate these values from the serialization stream if they are sent across the network. At the same time, I want to ensure validation still passes. Note that I also want to use the real password value for the login scenario that is executed in the same request, so I will also need client-side (controller) access to the password value.

I am using MVC4, .NET 4.5, and CSLA 4.5.20.

JonnyBee replied on Saturday, April 27, 2013

Hi,

You could change the password property to private backing field and add NonSerialized attribute to the backing field. 

NightOwl888 replied on Saturday, April 27, 2013

I thought of that, but I couldn't find any examples in the CSLA 4 book that show how to make a property with a private backing field that also has a static accessor property so the validation and hashing rules can run on it. Can you show me just how that would be done?

JonnyBee replied on Sunday, April 28, 2013

Csla 4 ships with a set of snippets and templates. See the Csla Cheat Sheet here http://www.lhotka.net/files/csla40/CSLA4CheatSheet.pdf

The snippet you want is cslapropp 

Here is how the property should be defined:

    public static readonly PropertyInfo<string> PasswordProperty = 
RegisterProperty<string>(c => c.Password, RelationshipTypes.PrivateField);     [NonSerialized]     private string _password = PasswordProperty.DefaultValue;     public string Password     {       get { return GetProperty(PasswordProperty, _password); }       set { SetProperty(PasswordProperty, ref _password, value); }     }

NightOwl888 replied on Sunday, April 28, 2013

You beat me to it. I found the same answer it on page 35 of the "Objects" ebook. I have confirmed it does not send the password value to the DataPortal - not even if it is running on the client.

Copyright (c) Marimer LLC