WSE 2.0 UsernameTokens and Hashing Passwords

Hervey posts another great entry in his blog that digs into the whole confusing issue about whether clear-text passwords are required for using hashed UsernameTokens.  He hits all the ins and outs.  Ultimately the string you pass to the constructor of the UsernameToken object must match the string returned from the AuthenticateToken method of your UsernameTokenManager class on the server.  If you want to hash the real password with some shared secret, then you have to do the same thing on the client as you do on the server.  Of course then you have to use your own logic to do this and your own way to share the secret which is probably not something you really want to do.

For all the details, see Hervey's post.

   -Matt

Comments

• Anonymous
  September 10, 2004
  Hi Matt, I wrote some code to demonstrate one approach to solving this. Let me know if this is sound.<br><br><a target="_new" href="http://haacked.com/archive/2004/09/09/1177.aspx">http://haacked.com/archive/2004/09/09/1177.aspx</a>
• Anonymous
  September 13, 2004
  (Not sure if my post went through)
  
  Hi Matt, I wrote some code to demonstrate one approach to solving this. Let me know if this is sound. http://haacked.com/archive/2004/09/09/1177.aspx