|
|
Rank: Newbie
Groups: Member
Joined: 5/11/2017
Posts: 2
|
Is there way to pass user token instead of user/password for authentication event. We're implementing single signon where user logon to our system from a different application and we do not want to persist the user/password. We only persist the token and want to use only this token
|
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,225
|
Hi,
Currently there is no way to pass a user token. The browser engine will always use the current user's token to authenticate first. If that fails, then you will get the NeedCredential event.
Thanks!
|
|
Rank: Advanced Member
Groups: Member
Joined: 5/15/2017
Posts: 48
|
The NeedCredentialsEventArgs Continue method takes the password as string. From security standpoint passing password as string is not safe. Do you have or plans to support taking SecuredString as data type for the password parameter?
|
|
Rank: Advanced Member
Groups: Member
Joined: 5/15/2017
Posts: 48
|
Following link has information about SecureString. https://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.110).aspx Just to give a background, our products are required to not to store passwords in plain text in .net code. As the .net string is immutable and we don't know when the GC is going to collect and an attacker could get the memory to get the password. We collect the password from UI as secure string and pass it down to windows or other api that needs it.
|
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,225
|
Hi,
We will add our SecureString support in our next build.
Thanks!
|
|
Rank: Advanced Member
Groups: Member
Joined: 5/15/2017
Posts: 48
|
That's really awesome!!! Thank you!
|
|
Rank: Advanced Member
Groups: Member
Joined: 5/15/2017
Posts: 48
|
One thing need to be careful of is what we do with the password data while its' not inside the SecureString. Couple of useful articles http://www.griffinscs.com/?p=12.Part II of this article http://www.griffinscs.com/?p=23
|
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,225
|
Hi, Thanks for the additional information. We have posted a new build that added several overloads of the Continue method that accepts SecureString: https://www.essentialobjects.com/doc/eo.webbrowser.needcredentialseventargs.continue_overloads.aspxThe none secure version has also been changed to call the secure version internally. You can download the new build from our download page. Please feel free to let us know if you have any questions. Thanks!
|
|
Rank: Advanced Member
Groups: Member
Joined: 5/15/2017
Posts: 48
|
We have a question about the life time management of SecureString parameter passed in the Continue method. SecureString need to be properly disposed. Is EO disposing these two parameters? It will be helpful to clarify this in the help document link below. If these parameters are disposed by EO, then the caller needs to ensure to pass a copy otherwise the caller needs to dispose them. https://www.essentialobjects.com/doc/eo.webbrowser.needcredentialseventargs.continue_overload_1.aspx
|
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,225
|
Hi,
They are disposed by us. So you will need to pass a copy of them if you wish to keep the values for later use.
Thanks!
|
|