学习014-01-02-02-03 Passwords in the Security System（安全系统中的密码）

Passwords in the Security System（安全系统中的密码）

This topic describes built-in XAF tools for generating and changing user passwords when using the AuthenticationStandard authentication.
本主题介绍了在使用“标准身份验证”身份验证时，用于生成和更改用户密码的内置XAF工具。

Password Encryption（密码加密）

The ApplicationUser class generated by the XAF Solution Wizard does not store a password as plain text. Instead, the derived hash is created from a password using the Rfc2898DeriveBytes or SHA512 class. Use the static EnableRfc2898 and SupportLegacySha512 properties of the DevExpress.Persistent.Base.PasswordCryptographer class to specify the password encryption algorithm.
XAF 解决方案向导生成的 ApplicationUser 类不会以明文形式存储密码。相反，会使用 Rfc2898DeriveBytes 或 SHA512 类从密码创建派生哈希。使用 DevExpress.Persistent.Base.PasswordCryptographer 类的静态 EnableRfc2898 和 SupportLegacySha512 属性来指定密码加密算法。

You can specify these static property values in one of the following locations:
你可以在以下位置之一指定这些静态属性值：

• in the constructor of your platform-agnostic module located in the Module.cs file;
  在位于Module.cs文件中的平台无关模块的构造函数中；

• in the constructor of your application located in the WinApplication.cs or WebApplication.cs file;
  在位于WinApplication.cs或WebApplication.cs文件中的应用程序构造函数中；

• in the Main method of the WinForms application located in the Program.cs file, before the WinApplication.Start call;
  在位于Program.cs文件中的Windows窗体应用程序的Main方法中，在调用WinApplication.Start之前；

• in the Application_Start method of the ASP.NET Web Forms application located in the Global.asax.cs file, before the WebApplication.Start call.
  在位于Global.asax.cs文件中的ASP.NET Web Forms应用程序的Application_Start方法中，在调用WebApplication.Start之前。

Note
If you use the Middle-tier level security, you also need to specify these static properties in the server application’s Main method located in the Program.cs file.
如果使用中级安全级别，还需要在位于Program.cs文件中的服务器应用程序的Main方法中指定这些静态属性。

The DevExpress.Persistent.Base.PasswordCryptographer class supports FIPS compatibility. Refer to the following topic for details: FIPS-compliance changes to the DevExpress.Persistent.Base.PasswordCryptographer and DevExpress.ExpressApp.Utils.ImageLoader classes. XAF applications created with Solution Wizard version 17.1 or higher use the RFC 2898 algorithm.
DevExpress.Persistent.Base.PasswordCryptographer类支持FIPS兼容性。有关详细信息，请参阅以下主题：对DevExpress.Persistent.Base.PasswordCryptographer和DevExpress.ExpressApp.Utils.ImageLoader类的FIPS合规性更改。使用17.1版或更高版本的解决方案向导创建的XAF应用程序使用RFC 2898算法。

Important
The Sha512 algorithm is vulnerable. Use the RFC 2898 algorithm in your applications.
Sha512算法存在漏洞。在你的应用程序中使用RFC 2898算法。

If you need to use the Sha512 algorithm for backward compatibility, set the PasswordCryptographer.SupportLegacySha512 property to true as follows:
如果需要出于向后兼容性使用 Sha512 算法，请按如下方式将 PasswordCryptographer.SupportLegacySha512 属性设置为 true：

ASP.NET Core Blazor, Web API

File: MySolution.WebApi\\Startup.cs (MySolution.Blazor.Server\\Startup.cs)

C# public class Startup { // ... public void ConfigureServices(IServiceCollection services) { // ... PasswordCryptographer.SupportLegacySha512 = true; // ... }}

WinForms

File: MySolution.Win\\WinApplication.cs

C# namespace MySolution.Win { public partial class MySolutionWindowsFormsApplication : WinApplication { static MySolutionWindowsFormsApplication() { DevExpress.Persistent.Base.PasswordCryptographer.SupportLegacySha512 = true; } // ... }}

You can also configure application settings to match the specified version of DevExpress frameworks and libraries. Use the FrameworkSettings.DefaultSettingsCompatibilityMode property for this purpose.
你还可以配置应用程序设置，以匹配指定版本的DevExpress框架和库。为此，请使用FrameworkSettings.DefaultSettingsCompatibilityMode属性。

Administrator-Generated Passwords（管理员生成的密码）

Administrators can use the ResetPassword Action to generate a password for a particular user. This Action is activated if a user type implements the IAuthenticationStandardUser interface, and the Standard Authentication is applied.
管理员可以使用“重置密码”操作来为特定用户生成密码。如果用户类型实现了IAuthenticationStandardUser接口，并且应用了标准身份验证，则会激活此操作。

The ResetPasswordController View Controller provides the ResetPassword Action, which is enabled for root Views and located in the RecordEdit Action Container. This Action invokes the following dialog:
重置密码控制器视图控制器提供“重置密码”操作，该操作对根视图启用，位于“记录编辑”操作容器中。此操作调用以下对话框：

The user can change the generated password later.
用户稍后可以更改生成的密码。

Note
Changes you made in the Detail View are lost after the ResetPassword Action execution. To save changes when this Action is executed, set the SaveUserObjectOnPasswordChanging property to true.
在执行“重置密码”操作后，您在详细信息视图中所做的更改将会丢失。若要在执行此操作时保存更改，请将“SaveUserObjectOnPasswordChanging”属性设置为“true”。

Change the Password After the First Logon（首次登录后更改密码）

User objects that implement the IAuthenticationStandardUser interface have the IAuthenticationStandardUser.ChangePasswordOnFirstLogon property. If you set this property to true for a particular user, the following dialog displays after this user is logged on:
实现IAuthenticationStandardUser接口的用户对象具有IAuthenticationStandardUser.ChangePasswordOnFirstLogon属性。如果为特定用户将此属性设置为true，则该用户登录后会显示以下对话框：

Since the AuthenticationActiveDirectory authentication type does not expect XAF application passwords to change, this window displays only when Standard Authentication is used.
由于“Active Directory 身份验证”身份验证类型不要求更改 XAF 应用程序密码，因此仅在使用“标准身份验证”时才会显示此窗口。

End-User Password Modifications（最终用户密码修改）

When using the Standard Authentication type, end users that have access to the My Details Detail View can change their passwords using the ChangeMyPassword Action. This Action is located in the Edit Action Container and is activated for the My Details Detail View. It invokes the following dialog:
在使用标准身份验证类型时，有权访问“我的详细信息”详细视图的最终用户可以使用“更改我的密码”操作来更改其密码。此操作位于“编辑操作容器”中，并且已针对“我的详细信息”详细视图激活。它会调用以下对话框：

Note

• You can force users to have complex passwords using the approach described in the Non-Persistent Objects Validation topic.
  你可以使用“非持久化对象验证”主题中描述的方法，强制用户设置复杂密码。
• Changes you made in the Detail View are lost after the ChangeMyPassword Action execution. To save changes when this Action is executed, set the SaveUserObjectOnPasswordChanging property to true.
  在执行“更改我的密码”操作后，您在详细信息视图中所做的更改会丢失。要在执行此操作时保存更改，请将“在更改密码时保存用户对象”属性设置为“true”。

Access Passwords in Code（在代码中访问密码）

It is impossible to decrypt the stored value to get the original password. To verify or encrypt passwords with a custom algorithm, use one of the following methods:
无法对存储的值进行解密以获取原始密码。若要使用自定义算法验证或加密密码，请使用以下方法之一：

• The static PasswordCryptographer.VerifyHashedPasswordDelegate and PasswordCryptographer.HashPasswordDelegate methods.
  静态的PasswordCryptographer.VerifyHashedPasswordDelegate和PasswordCryptographer.HashPasswordDelegate方法。

The following code snippet demonstrates how to customize the behavior of these methods:
以下代码片段展示了如何自定义这些方法的行为：

C#using DevExpress.Persistent.Base;// ...PasswordCryptographer.VerifyHashedPasswordDelegate = VerifyHashedPassword;PasswordCryptographer.HashPasswordDelegate = HashPassword;// ...static bool VerifyHashedPassword(string saltedPassword, string password) { bool result; // validate password here. return result;}static string HashPassword(string password) { string hash; // create hash here. return hash;}

• To compare a plain password with a hashed password in a non-XAF .NET app with XPO, use the following code:
  要在使用XPO的非XAF .NET应用程序中比较普通密码和哈希密码，请使用以下代码：

C#using DevExpress.Persistent.Base;using DevExpress.Persistent.BaseImpl.PermissionPolicy;using DevExpress.Xpo;using DevExpress.Xpo.DB;using DevExpress.Xpo.Metadata;using System.Linq;namespace ConsoleApp1 { class Program { static void Main(string[] args) { PasswordCryptographer.EnableRfc2898 = true; PasswordCryptographer.SupportLegacySha512 = false; var dictionary = new ReflectionDictionary(); dictionary.GetDataStoreSchema(typeof(ApplicationUser)); var cs = @\"integrated security=SSPI;pooling=false;data source=(localdb)\\mssqllocaldb;initial catalog=MainDemo_v20.1\"; XpoDefault.DataLayer= XpoDefault.GetDataLayer(cs, AutoCreateOption.None); XpoDefault.Session = null; var session = new UnitOfWork(); var user = session.Query<ApplicationUser>().FirstOrDefault(u => u.UserName == \"John\"); var saltedPassword = (string)user?.GetMemberValue(\"StoredPassword\"); var areEqual = PasswordCryptographer.VerifyHashedPasswordDelegate(saltedPassword, \"test\"); } }}

• The IAuthenticationStandardUser.ComparePassword and IAuthenticationStandardUser.SetPassword methods. To use these methods, obtain an instance of the target user class that implements the IAuthenticationStandardUser interface. See the example in the following help topic: How to: Implement a Custom Security System User Based on an Existing Business Class.
  IAuthenticationStandardUser.ComparePassword 和 IAuthenticationStandardUser.SetPassword 方法。若要使用这些方法，请获取实现 IAuthenticationStandardUser 接口的目标用户类的实例。请参阅以下帮助主题中的示例：如何：基于现有业务类实现自定义安全系统用户。