Why override the authentication?

Jun 20, 2010 at 1:47 PM

After having a look at your Book Club sample app, it seems to be that you are avoiding the built in membership provider. Is this (replacing membership provider) really required to extend the authorization mechanism?

From what I see you are storing the passwords in clear-text in the database, is that correct? It's very problematic with any online service that stores users personal passwords in clear-text and it should always be avoided if possible. It's therefor a bit strange that you would replace the membership provider, which does proper and secure handling of personal passwords, with one that is clearly insecure. What's the reason for such an implementation?

Coordinator
Jun 20, 2010 at 4:12 PM

Looks like you posted the same comment at my blog post on authorization at http://www.nikhilk.net/RIAServices-Authorization.aspx ... so copying the response:

 

Yes, I am avoiding the membership provider, as the way I manage the list of users is simpler that way, in terms of how the users table is associated with other entities in the back-end model. However you don't need to do that to use authorization. As the post said, authorization is about consuming the IPrincipal produced by authentication, and is itself orthogonal to authentication.

The reason the passwords aren't hashed is because that part is demo/uncomplete from when I presented at MIX. So far, I haven't discussed authentication (either at MIX or in blog posts), but when I do, rest assured, the database is going to contain password hashes, and not actual passwords.

I personally prefer to have my simple table of users along with their settings/roles and associations with other tables... its easier that way then bending the membership, roles and profile systems to work within the context of the larger data model.

Hope that clarifies...

Jun 27, 2010 at 6:39 PM

Thanks for the clarification, obviously it's always good to keep code secure, even though it's just a sample. Your latest update now stores hashed passwords, which are great! Looking forward to more improvements on the Book Club sample, good work!