Log In
Home
Support
Demos
Documentation
Blogs
Training
Webinars
[Expand]General Information
[Expand]WinForms Controls
[Expand]ASP.NET Controls and MVC Extensions
[Expand]ASP.NET Bootstrap Controls
[Expand]ASP.NET Core Bootstrap Controls
[Expand]WPF Controls
[Expand]Xamarin Controls
[Expand]Windows 10 App Controls
[Expand]Document Server
[Expand]Reporting
[Expand]Report Server
[Expand]Dashboard
[Collapse]eXpressApp Framework
 [Expand]Fundamentals
 [Expand]Getting Started
 [Collapse]Concepts
  [Expand]Application Solution Components
  [Expand]Business Model Design
  [Expand]Application Model
  [Expand]UI Construction
  [Expand]Extend Functionality
  [Expand]Data Manipulation and Business Logic
  [Collapse]Security System
    Security System Overview
    Passwords in the Security System
    Client-Side Security (2-Tier Architecture)
    Authentication
    Predefined Users, Roles and Permissions
    Middle Tier Security - WCF Service
    Middle Tier Security - .NET Remoting Service
    Run the Application Server as a Windows Service
    Security Permissions Caching
    Permissions for Associated Objects
    Permission Policies
    Customize the Logon Window
  [Expand]Localization
  [Expand]System Module
  [Expand]Extra Modules
  [Expand]Debugging and Error Handling
  [Expand]Filtering
  [Expand]Application Life Cycle
 [Expand]Design-Time Features
 [Expand]Functional Testing
 [Expand]Deployment
 [Expand]Task-Based Help
  Frequently Asked Questions
 [Expand]API Reference
[Expand]CodeRush
[Expand]CodeRush Classic
[Expand]Cross-Platform Core Libraries
[Expand]Tools and Utilities
 End-User Documentation

Passwords in the Security System

This topic describes built-in XAF tools for generating and changing user passwords when using the AuthenticationStandard authentication.

Expanded Administrator-Generated Passwords

Administrators can use the ResetPassword Action to generate a password for a particular user. This Action is activated if a user type implements the IAuthenticationStandardUser interface, and the Standard Authentication is applied.

The ResetPasswordController View Controller provides the ResetPassword Action, which is enabled for root Views and located in the RecordEdit Action Container. This Action invokes the following dialog:

The user can change the generated password later.

Expanded Change the Password After the First Logon

User objects that implement the IAuthenticationStandardUser interface have the IAuthenticationStandardUser.ChangePasswordOnFirstLogon property. If you set this property to true for a particular user, the following dialog displays after this user is logged on:

Mobile applications do not support this functionality.

Since the AuthenticationActiveDirectory authentication type does not expect XAF application passwords to change, this window displays only when Standard Authentication is used.

Expanded End-User Password Modifications

When using the Standard Authentication type, end-users that have access to the My Details Detail View can change their passwords using the ChangeMyPassword Action. This Action is located in the Edit Action Container and is activated for the My Details Detail View. It invokes the following dialog:

Note

You can force users to have complex passwords using the approach described in the Non-Persistent Objects Validation topic.

Expanded Access Passwords in Code

The built-in user classes (that is, DevExpress.Persistent.BaseImpl.EF.PermissionPolicyUser and DevExpress.Persistent.BaseImpl.PermissionPolicyUser) do not store the password as plain text. Instead, the derived hash is created from a password using the Rfc2898DeriveBytes or SHA512 classes. The behavior is specified using the EnableRfc2898 and SupportLegacySha512 static properties of the DevExpress.Persistent.Base.PasswordCryptographer class.

  EnableRfc2898 = true EnableRfc2898 = false
SupportLegacySha512 = true SHA512-encrypted passwords that exist in the database are supported. Newly created passwords are encrypted and verified using RFC 2898 algorithm. All passwords are encrypted and verified using SHA512.
SupportLegacySha512 = false Default mode. SHA512-encrypted passwords are NOT supported. All passwords are encrypted and verified using RFC 2898 algorithm. This mode is FIPS-compliant.  

You can specify these static property values in one of the following locations:

  • in the constructor of your platform-agnostic module located in the Module.cs (Module.vb) file;
  • in the Main method of the WinForms application located in the Program.cs (Program.vb) file, before the WinApplication.Start call;
  • in the Application_Start method of the ASP.NET application located in the Global.asax.cs (Global.asax.vb) file, before the WebApplication.Start call.
Note

If you use the Middle-tier level security (.NET Remoting Service or WCF Service), you also need to specify these static properties in the server application's Main method located in the Program.cs (Program.vb) file.

RFC 2898 is a preferred algorithm because it is more modern and secure. In XAF applications, created with Solution Wizard version 17.1 or higher, it is enabled by default. It is recommended to enable it manually in your existing applications.

It is impossible to decrypt the stored value to get the original password. To verify or encrypt passwords, use one of the following methods:

  • The PasswordCryptographer.VerifyHashedPasswordDelegate and PasswordCryptographer.HashPasswordDelegate static methods.

    To customize these methods' behavior, use the following approach:

  • The IAuthenticationStandardUser.ComparePassword and IAuthenticationStandardUser.SetPassword methods. To use these methods, obtain an instance of the target user class that implements the IAuthenticationStandardUser interface. An example is provided in the How to: Implement a Custom Security System User Based on an Existing Business Class topic.

How would you rate this topic?​​​​​​​