如何绑定到一个MVVM PasswordBox [英] How to bind to a PasswordBox in MVVM

问题描述

我所遇到的一个问题绑定到一个PasswordBox。这似乎是一个安全隐患，但我使用的MVVM模式，所以我想绕过这个。我发现了一些有趣code在这里（有没有人用这种或类似的东西？）

I have come across a problem with binding to a PasswordBox. It seems it's a security risk but I am using the MVVM pattern so I wish to bypass this. I found some interesting code here (has anyone used this or something similar?)

<一个href=\"http://www.wpftutorial.net/PasswordBox.html\">http://www.wpftutorial.net/PasswordBox.html

在技术上看起来很棒，但我不确定如何找回密码。

It technically looks great, but i am unsure of how to retrieve the password.

我基本都在我的 LoginViewModel 为帐号属性和密码。 用户名是罚款和工作，因为它是一个文本框。

I basically have properties in my LoginViewModel for Username and Password. Username is fine and is working as it's a TextBox.

我用code与上面，进入这个

I used the code above as stated and entered this

<PasswordBox ff:PasswordHelper.Attach="True"
    ff:PasswordHelper.Password="{Binding Path=Password}" Width="130"/>

当我有 PasswordBox 为文本框和绑定路径=密码然后在属性我的 LoginViewModel 已更新。

When I had the PasswordBox as a TextBox and Binding Path=Password then the property in my LoginViewModel was updated.

我的code是很简单的，基本上我有一个命令我的按钮。当我preSS它 CanLogin 被调用，如果它返回true，它会调用登录。结果
你可以看到我检查我的用户名这里伟大的工程特性。

My code is very simple, basically I have a Command for my Button. When I press it CanLogin is called and if it returns true it calls Login.
You can see I check my property for Username here which works great.

在登录我跟着我的服务发送一个用户名和密码，用户名包含来自我的查看，但密码是空|空缺

In Login I send along to my service a Username and Password, Username contains data from my View but Password is Null|Empty

private DelegateCommand loginCommand;

    public string Username { get; set; }
    public string Password { get; set; }


    public ICommand LoginCommand
    {
        get
        {
            if (loginCommand == null)
            {
                loginCommand = new DelegateCommand(
                    Login, CanLogin );
            }
            return loginCommand;
        }
    }

    private bool CanLogin()
    {
        return !string.IsNullOrEmpty(Username);
    }

    private void Login()
    {
        bool result = securityService.IsValidLogin(Username, Password);

        if (result) { }
        else { }
    }

---

这是我在做什么。

---

This is what I am doing

<TextBox Text="{Binding Path=Username, UpdateSourceTrigger=PropertyChanged}"
         MinWidth="180" />

<PasswordBox ff:PasswordHelper.Attach="True" 
             ff:PasswordHelper.Password="{Binding Path=Password}" Width="130"/>

我有我的文本框，这是没有问题的，但在我的视图模型的密码是空的。

I have my TextBox, this is no problem, but in my ViewModel the Password is empty.

难道我做错了什么，或缺少一个步骤？

Am I doing something wrong or missing a step?

我把一个断点果然code。输入静态辅助类，但它从来没有更新我的密码在我的视图模型。

I put a breakpoint and sure enough the code enter the static helper class but it never updates my Password in my ViewModel.

推荐答案

很抱歉，但你这样做是错误的。

Sorry, but you're doing it wrong.

人应该有刻在他们的眼皮内侧以下安全指南：

从不保留明文密码在内存中。

People should have the following security guideline tattooed on the inside of their eyelids:
Never keep plain text passwords in memory.

在WPF / Silverlight的PasswordBox不公开DP为Password属性的原因是相关的安全。

如果WPF / Silverlight的是保持一个DP输入密码，将需要的框架，以保持自己的密码加密在内存中。这被认为是相当麻烦的安全攻击向量。
该PasswordBox使用（各种）加密存储和访问密码的唯一途径就是通过CLR属性。

The reason the WPF/Silverlight PasswordBox doesn't expose a DP for the Password property is security related.
If WPF/Silverlight were to keep a DP for Password it would require the framework to keep the password itself unencrypted in memory. Which is considered quite a troublesome security attack vector. The PasswordBox uses encrypted memory (of sorts) and the only way to access the password is through the CLR property.

我建议访问PasswordBox.Password CLR属性，当你从将其放置在任何变量或用作任何属性的值避免。

在客户机RAM明文保存密码是安全没有没有。

因此，摆脱的公共字符串密码{获取;集;}你得在那里。

I would suggest that when accessing the PasswordBox.Password CLR property you'd refrain from placing it in any variable or as a value for any property.
Keeping your password in plain text on the client machine RAM is a security no-no.
So get rid of that "public string Password { get; set; }" you've got up there.

当访问PasswordBox.Password，只是把它弄出来并运到服务器尽快。
不要让周围的密码值，千万不要把它就像任何其他客户机的文本。不要将明文密码在内存中。

When accessing PasswordBox.Password, just get it out and ship it to the server ASAP. Don't keep the value of the password around and don't treat it as you would any other client machine text. Don't keep clear text passwords in memory.

我知道这打破MVVM模式，但你不应该永远绑定到PasswordBox.Password连接DP，存储你的密码中的视图模型或任何其他类似的恶作剧。

I know this breaks the MVVM pattern, but you shouldn't ever bind to PasswordBox.Password Attached DP, store your password in the ViewModel or any other similar shenanigans.

如果你正在寻找一个在架构的解决方案，这里有一个：

  1.创建一个返回密码明文一种方法的IHavePassword接口。

  2.让你的用户控件实现IHavePassword接口。

  3.实现IHavePassword接口，你的IoC注册用户控件实例。

  4.当需要密码服务器请求正在发生，请致电国际奥委会的IHavePassword实施，仅比获得令人垂涎的很多密码。

If you're looking for an over-architected solution, here's one:
1. Create the IHavePassword interface with one method that returns the password clear text.
2. Have your UserControl implement a IHavePassword interface.
3. Register the UserControl instance with your IoC as implementing the IHavePassword interface.
4. When a server request requiring your password is taking place, call your IoC for the IHavePassword implementation and only than get the much coveted password.

只是我拿就可以了。

- 贾斯汀

这篇关于如何绑定到一个MVVM PasswordBox的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！