Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / July 2005

Tip: Looking for answers? Try searching our database.

Help Urgent, How to get hashed pwd in web service when send in username token as SendHashed

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Prajakta J. - 01 Jul 2005 07:26 GMT
Hi,

I am sending username and pwd in usernametoken in SendHashed format,
While in  web service, i am getting  Nothing in that UsernameToken's
Password.

If send it as SendPlainText, then in my web service, i get a hashed pwd.
Why this is So?

How to get Hashed pwd stored in UsernamToken in web service?

My web service code is,

Try
     If IsNothing(ctxt) Then
             Throw New ApplicationException("Only SOAP requests are
permitted."
    End If

flg = False

For Each tkn In RequestSoapContext.Current.Security.Tokens
      If TypeOf tkn Is UsernameToken Then
               Dim user As UsernameToken = CType(tkn, UsernameToken)
               Dim pwd As String =
FormsAuthentication.HashPasswordForStoringInConfigFile("Admin1", "SHA1")
                       If user.Password = pwd Then
                            flg = True
                            Return "Hello " & user.Username
                       End If
               End If
Next

If flg = False Then
   Return "Hello Liar"
End If

Catch ex As SoapException
       Throw ex
Catch ex As Exception
      Throw ex
End Try
Reply to this Message
Hernan de Lahitte - 05 Jul 2005 01:05 GMT
You can find the password hash in the user.PasswordHash property as a byte
array.
Notice that this value won't be the value that you set on the client in the
Password property.
It will actually be the SHA1(created+password+once) of that value called a
one-time hash value.
In your web service you should implement a custom UsernameTokenManager that
derives from that class an overrride the AuthenticateToken method where you
should return the same value that you put on the password property at the
client side. The base class will recalculate the hash for the returned
password and verify against the value sent by the client.

Signature

Hernan de Lahitte
http://clariusconsulting.net/hdl

> Hi,
>
[quoted text clipped - 40 lines]
>
> *** Sent via Developersdex http://www.developersdex.com ***
Reply to this Message
William Stacey [MVP] - 05 Jul 2005 15:42 GMT
Before settling on hashed pwds, you may want to take a look at:
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!178.entry

Myself, I would use SCTs instead.

Signature

William Stacey [MVP]

> Hi,
>
[quoted text clipped - 40 lines]
>
> *** Sent via Developersdex http://www.developersdex.com ***
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.