This topic describes built-in XAF tools for generating and changing user passwords when using the AuthenticationStandard authentication.
Administrators can use the ResetPasswordAction to generate a password for a particular user. This Action is activated if a user type implements the IAuthenticationStandardUser interface, and the Standard Authentication is applied.
The ResetPasswordControllerView Controller provides the ResetPassword Action, which is enabled for root Views and located in the RecordEditAction Container. This Action invokes the following dialog:
The user can change the generated password later.
Changes you made in the Detail View are lost after the ResetPassword Action execution. To save changes when this Action is executed, set the SaveUserObjectOnPasswordChanging property to true.
Mobile applications do not support this functionality.
Since the AuthenticationActiveDirectory authentication type does not expect XAF application passwords to change, this window displays only when Standard Authentication is used.
End-User Password Modifications
When using the Standard Authentication type, end-users that have access to the My Details Detail View can change their passwords using the ChangeMyPassword Action. This Action is located in the Edit Action Container and is activated for the My Details Detail View. It invokes the following dialog:
SHA512-encrypted passwords that exist in the database are supported. Newly created passwords are encrypted and verified using RFC 2898 algorithm.
All passwords are encrypted and verified using SHA512.
SupportLegacySha512 = false
Default mode. SHA512-encrypted passwords are NOT supported. All passwords are encrypted and verified using RFC 2898 algorithm. This mode is FIPS-compliant.
You can specify these static property values in one of the following locations:
in the constructor of your platform-agnostic module located in the Module.cs (Module.vb) file;
in the Main method of the WinForms application located in the Program.cs (Program.vb) file, before the WinApplication.Start call;
in the Application_Start method of the ASP.NET application located in the Global.asax.cs (Global.asax.vb) file, before the WebApplication.Start call.
If you use the Middle-tier level security (WCF Service), you also need to specify these static properties in the server application's Main method located in the Program.cs (Program.vb) file.
RFC 2898 is a preferred algorithm because it is more modern and secure. In XAF applications, created with Solution Wizard version 17.1 or higher, it is enabled by default. It is recommended to enable it manually in your existing applications.
It is impossible to decrypt the stored value to get the original password. To verify or encrypt passwords, use one of the following methods:
The static PasswordCryptographer.VerifyHashedPasswordDelegate and PasswordCryptographer.HashPasswordDelegate methods.
To customize these methods' behavior, use the following approach:
PasswordCryptographer.VerifyHashedPasswordDelegate = AddressOf VerifyHashedPassword
PasswordCryptographer.HashPasswordDelegate = AddressOf HashPassword
Private Shared Function VerifyHashedPassword(ByVal saltedPassword As String, ByVal password As String) As Boolean
Dim result As Boolean
' validate password here.
Private Shared Function HashPassword(ByVal password As String) As String
Dim hash As String
' create hash here.