WCF 自定义用户名验证器：为什么此代码被认为如此不安全？

发布于 2024-11-02 14:24:25 字数 982 浏览 1 评论 0原文

我正在编写 WCF 服务并希望使用 CustomUserNameValidator。我在MSDN网站上找到了以下代码。我想通常人们会从数据库中检查用户名和密码，这是有道理的。但为什么下面的硬编码代码被认为如此不安全？

// This method validates users. It allows in two users, test1 and test2 
// with passwords 1tset and 2tset respectively.
// This code is for illustration purposes only and 
// must not be used in a production environment because it is not secure.    
public override void Validate(string userName, string password)
{
if (null == userName || null == password)
    throw new ArgumentNullException();

if (!(userName == "test1" && password == "1tset") && !(userName == "test2" && password == "2tset"))
    throw new FaultException("Unknown Username or Incorrect Password");
}

我可能会有 1 或 2 个用户名（在许多客户端之间共享，请求来自哪个客户端并不重要）。我发现这篇帖子讨论了如何放置用户名/配置文件中的密码。但不明白这与硬编码两个密码有何不同。
有人可以启发我吗？

原文

I'm writing a WCF service and want to use a CustomUserNameValidator. I found the following code in the MSDN website. I guess usually one would check the username and password from a database, which makes sense. But why is the below hardcoded code considered so unsecure?

// This method validates users. It allows in two users, test1 and test2 
// with passwords 1tset and 2tset respectively.
// This code is for illustration purposes only and 
// must not be used in a production environment because it is not secure.    
public override void Validate(string userName, string password)
{
if (null == userName || null == password)
    throw new ArgumentNullException();

if (!(userName == "test1" && password == "1tset") && !(userName == "test2" && password == "2tset"))
    throw new FaultException("Unknown Username or Incorrect Password");
}

I will have maybe 1 or 2 usernames (shared among many clients, it doesn't matter which client the request comes from). I found this post which talks about putting the username/passwords in a config file. But don't understand how that's much different than hardcoding the two passwords in.
Could somebody please enlighten me?

分享到QQ

分享到微博