SecureString: Soup to Nuts, Part II
My last post, SecureString: Soup to Nuts, Part I, dealt with some basic rules around using the SecureString class in .NET and how to prepare the secret stored inside for persistence, without exposing the clear text to a CLR type. In the second part, I'm going to discuss my solution for maintaining SecureString best practices, without sacrificing our MVVM design principles. The XAML and code provided is in WPF, but it's applicable to Silverlight, as well with minimal tinkering.
First let's talk about PasswordBox. The PasswordBox was designed to obscure the user-entered text, both visually and in memory. That is to say, visually, it's much like the old Windows Forms MaskedTextBox, except it's specifically designed for secret data, and will only expose said secret in a clear text string if asked to do so,via the Password property. It's important to understand that the Password property is only a helper that accesses the encrypted data member. For this reason, it is not exposed as a DependencyProperty. This is a source of frustration to developers who have no designs on a SecureString solution. Alas, there's no pleasing everyone, and a Password DependencyProperty would make an acceptable SecureString implementation impossible with PasswordBox. If you Google "PasswordBox MVVM" (without the quotes) you will find that the generally accepted solution for the CLR string camp, makes use of an attached property to expose a CLR string for binding. This effectively takes the MaskedTextBox functionality of PasswordBox, and passes on memory security.
We want an MVVM solution that hands us a SecureString, so let's look at the SecurePassword property. More frustration, as this is also not a DependencyProperty. Before you go angrily writing an attached property to expose the SecureString, understand that this is by design, not neglect. The first commandment of SecureString is to dispose of it when you're finished right? The SecurePassword property gives us a SecureString to use one time, then dispose of it.
The MVVM way to do this is now staring us in the face. We need to bind the event we're going to use to execute our users' credentials to an ICommand.
<PasswordBox x:Name="_passwordBox" ...>
…
<PasswordBox.InputBindings>
<KeyBinding Key="Enter" Command="{Binding ExecuteCredentialsCommand}"
CommandParameter="{Binding ElementName=_passwordBox}" />
</PasswordBox.InputBindings>
</PasswordBox>
<Button Content="Login Button Text" …
Command="{Binding ExecuteCredentialsCommand}"
CommandParameter="{Binding ElementName=_passwordBox}"/>
In this example's ViewModel, I'm using Prism's DelegateCommand implementation of ICommand.
public ViewModelClassConstuctor(IRegionManager regionManager,
IProxyDataProvider dataProvider)
{
ExecuteCredentialsCommand = new DelegateCommand(
//execute method
delegate(object parameter)
{
SecureString securePassword = parameter as SecureString;
if (parameter is PasswordBox)
securePassword = ((PasswordBox)parameter).SecurePassword;
try
{
//authentication/persistence model code
}
finally
{
securePassword.Dispose();
}
},
//can execute method
delegate(object parameter)
{
SecureString securePassword = parameter as SecureString;
if (parameter is PasswordBox)
securePassword = ((PasswordBox)parameter).SecurePassword;
return securePassword != null && securePassword.Length > 0 &&
!string.IsNullOrEmpty(UserName);
});
CredentialsChangedCommand = new DelegateCommand(
delegate
{
ExecuteCredentialsCommand.RaiseCanExecuteChanged();
});
}
public DelegateCommand ExecuteCredentialsCommand { get; private set; }
public DelegateCommand CredentialsChangedCommand { get; private set; }
There you have it. With the code from the previous entry, you can generate a nice authentication prompt with password persistence, without sacrificing memory security or your MVVM design. I hope this has been a helpful guide. Please leave a comment if you liked it, have something you'd like to share, or if you thought it could have been more comprehensive.
August 2nd, 2011 - 18:48
You’re still breaking the MVVM design pattern because you are passing in the PasswordBox control itself (not a SecureString). If you had passed in the SecureString itself it would not have worked because the SecureString is not a DependencyProperty.
Right now there is no way to bind either the Password or SecurePassword without breaking security concerns. Leaving security concerns on the table, you’re breaking the MVVM pattern. Close, but no cigar.
September 26th, 2011 - 20:02
You make a good point. Commanding the PasswordBox does couple the ViewModel more tightly to the View. However I don’t think SecurePassword need be a DependencyProperty in order to loosen it. I could, off the top of my head, make a markup extension that can pass the SecureString explicitly to my command. If I get time, I’ll have to think a more generic/pragmatic solution than that to post it here. In practice, I would probably never extend markup specifically to avoid a bend in the design pattern that still keeps me from interacting with the Model from code behind.