Handling username/password validation errors

Question

Hi,

I try to implement custom token provider as is shown in "Token Provider" sample from WCF samples collection. There, when user's credentials validation fails in my custom UserNamePasswordValidator is trown new SecurityTokenException.

On the client side i receive MessageSecurityException from which i'm not able to get error message from the server, only general exception description: "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail". But FaultException also doesn't contain my error message.

Also, i tried to change trowing of SecurityTokenException with FaultException but has same results.

Can someone provide some guidance on how to handle this exception in client layer? Or may be is there other workaround to be able to receive on the client side error messages about unsuccessful validations in UserNamePasswordValidator? I just want to show to the user more descriptive error message than simple "Authentication failed".

PS: I have seen other topics with the same question as mine, but i don't find any answer, so, i will put same question again - i'm sorry for this.

Regards

Answer 1

Nobody can help here?

Is a way to get a custom fault back to the client instead of catching general MessageSecurityException? Same question was asked here but too without a responce.

To reproduce this situation is enought to open "UserNamePassword Validator" solution from samples collection in WCF documentation and change in client.cs username or password to don't match these expected by the server.

Or can someone point to the other place where i can ask this question and get a responce?

 Regards

Answer 2

I truly wonder what sort of detail information except "I don't know you and you can't come in here" (aka "Authentication Failed") you want to give to someone who is trying to break into your system with an invalid username or password or other means of authentication? Do you want to make their lives easier by telling them more?

Thanks in advance for clarifying
Clemens

Answer 3

Hi, Clemens

I don't want to tell much, but enough for users of enterprise level applications. For example in one case to tell that it just mistyped the password and, in other case, that his account was disabled by administrator.

Other point is that, if MessageSecurityException is the way to handle username/password validation errors, i want to know exactly that exception was thrown in Validate method of password validator and not in tens or hundreds of places in System.ServiceModel . How can help there MessageSecurityException received on the client with message "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail." and inner FaultException with message "An error occurred when processing the security tokens in the message." ?

Or may be i do something in a wrong way?

Thanks for your responce and i hope you'll help or point me to the right direction.

Best regards

Answer 4

Agreed -- in an enterprise application, returning these types of error indications is highly useful.

Even Windows Live Messenger returns a differrent indication if the account is locked out.

 

Why isn't it possible to return a simple fault contract that contains some information about why the authentication failed?

 

Answer 5

I'm wondering if this change in RC1 helps the situation any:

 

System.ServiceModel.Security

Change	Add New Exception type for AccessDenied semantics
Description	A new exception type was added to signal authorization failures.
Type of Origin	System.ServiceModel.Security.SecurityAccessDeniedException
This change effects	OM

 

Will have to try it out...

Answer 6

There does not seem to be any way [that I can find] to specify an error that the client can consume.  I'm trying to do a similar process for my STS implementation, providing reasonable error messages back to the client application to indicate various error conditions, such as invalid login, account inactive, must change password, etc.  However, when the Username/Password validator throws an exception [of any type] from the STS, the error propogated back to the client is absolutely useless, and contains none of the information that was included in the exception thrown by the STS doing the authentication.

To me, this is unacceptable.  Be as flippant as you want about "how much information you want to give someone breaking into your system", there are a number of scenarios where perfectly valid users would like to know why exactly they can't log in, so that they can go about fixing the situation.  In addition, the client application would like to be able to handle very specific cases to allow the user to re-login, re-try, etc.  Has anyone figured out how we might provide this type of functionality?

Thanks!

 

Answer 7

I'm wondering if anyone has found a solution for this?

Answer 8

You can set the behavior to send back to the client falt information

 

Answer 9

Any idea how?

<serviceDebug includeExceptionDetailInFaults="true" />

Doesn't seem to work in this scenario. I just want to be able to distinguish between "Your login failed" and "The administrator screwed up the configuration file".

Answer 10

The solution is here http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=840163&SiteID=1 add username and password properties to your AuthorisationPolicy, set them in the constructor. In your ServiceAuthorisationManager CheckAccessCore method retrieve your AuthorisationPolicy perform your custom Authentication and raise an exception if the Authentication fails.

 

Answer 11

It is not an unreasonable request to be able to customise the exception information returned, especially since the response returned here is not SOAP 1.1 compliant (particularly the faultCode):

 

   <s:Body>
      <s:Fault>
         <faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode>
         <faultstring xml:lang="en-AU">An error occurred when verifying security for the message.</faultstring>
      </s:Fault>
   </s:Body>

 

My external SOAP client (not using a Microsoft platform) expects something like this for an authentication failure:

 

   <soap:Body>
      <soap:Fault>
         <faultcode>soap:Client</faultcode>
         <faultstring>ACCESS DENIED: Invalid username token supplied.</faultstring>

         <faultactor>http://localhost/QCS.IJIS.AC/IJISInboundWS/IJISInboundWS.asmx</faultactor>
      </soap:Fault>
   </soap:Body>

 

So far I have been unable to generate a faultCode my client will understand. Can you please advise how to do this? Following the recommended method below for generating SOAP 1.1 via a MessageFault is useless because it is apparently overidden in the stack:

 

Code Block

SecurityTokenException secEx = new SecurityTokenException("ACCESS DENIED: Invalid username token supplied");

 

MessageFault msgFault = MessageFault.CreateFault(new FaultCode("Client"), new FaultReason(secEx.Message), secEx);

 

FaultException faultEx = FaultException.CreateFault(msgFault, typeof(SecurityTokenException));

 

throw faultEx;

 

 

Please do not consider this question answered until you can shed some light on this.

 

Answer 12

 

Is this still an issue in .NET 3.5 ? It's really frustrating that you can not override this "security feature" even if you want to do this. I have to explain nearly on daily basis what "An unsecured or incorrectly secured fault was received from the other party" means.

Answer 13

In .Net 3.5, the FaultException string will be passed as innerException string to the MessageSecurityException

P.Gopalakrishna
http://www.geocities.com/krishnapg/