Hello,
when potential attacker breaks the SQL database, he just founds fields protected by my encryption.
However, if he deletes the user's password in the SecuritySystemUser table, he have free access to the system, where the data are decrypted.
How to prevent it?
By custom logon controller only?
Thanks
Hello.
Use the follwong approaches to forbid empty passwords:
A. Creating a custom authentication and check that the entered password is not empty in the overridden Authenticate method. Refer to the How to: Use Custom Logon Parameters and Authentication article.
C#public class AuthenticationStandardEx : AuthenticationStandard {
public override object Authenticate(IObjectSpace objectSpace) {
DevExpress.ExpressApp.Utils.Guard.ArgumentNotNull(this.LogonParameters, "logonParameters");
var password = ((AuthenticationStandardLogonParameters)this.LogonParameters).Password;
if (string.IsNullOrEmpty(password)) {
throw new ArgumentException("Password cannot be empty");
}
return base.Authenticate(objectSpace);
}
}
B. Create a validation rule (RuleRequiredField) for the AuthenticationStandardLogonParameters.Password property in the application model. Refer to the Non-Persistent Objects Validation article (the Validate Password Complexity example).
Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.
Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.