Freigeben über

Customizing Exceptions for Validation

  • Artikel

How do I customize the exception text sent back from a custom password validator?

If you've looked at the documentation for UserNamePasswordValidator, then the instructions tell you to implement the validator by overriding the Validate method and throwing a SecurityTokenValidationException if you don't like the username and password pair that was provided. A failed validation attempt results in an exception back on the client that is fairly generic.

An error occurred when processing the security tokens in the message.

Being generic is the correct thing to do most of the time because you don't want to volunteer unnecessary information in your security responses. Subtle differences in how the application behaves can give an attacker hints about the parts of their input that passed validation and the parts of their input that failed validation. However, if an attacker can't use the diagnostic information to their advantage, then you may want to provide more information to make debugging easier.

Changing this exception message is relatively easy to do although hard to discover. In your Validate method, rather than throwing a security exception, you can instead throw a FaultException with a custom message. That custom message will be passed back to the client application although the details of the fault will not.

 public class MyUserNameValidator : UserNamePasswordValidator
{
   public override void Validate(string userName, string password)
   {
      // validation logic
      if (validationFailed)
      {
         throw new FaultException("Here's a description of why validation failed");
      }
   }
}

Next time: Configuring Protection Level

Comments

  • Anonymous
    March 07, 2008
    What are the rules for when a client needs to support Active Directory integration for sending to an

  • Anonymous
    March 13, 2008
    I tried this but still get a MessageSecurityException on the client with no indication of the original error. Is there something special we need to do to make the original error message flow back to the client? I also tried addign an IErrorHandler but that does not get invoked if an exception occurs in the validation stage. Would appreciate any pointers you may have to make this work. Thanks!

  • Anonymous
    March 15, 2008
    Hi Priya, What version of WCF are you using?  This is a new addition for Orcas, although it may be enough to have 3.0 SP1 installed.

  • Anonymous
    March 16, 2008
    Throwing a FaultException like this from a service hosted on IIS 6 always results in the same Fault message going back The reason has the text "An error occurred when verifying security for the message" instead of whatever custom text I supply Any ideas why? Thanks