Issue with GetUserProfile() web service method and Encrypted passwords

[jrjespersen]

I am having an issue with retrieving a user profile with GetUserProfile() method. It appears to be related to password encryption. When I call the method for several of our profiles, the web service proxy class throws an exception referencing an error in the XML document:

Quote:

There is an error in XML document (1, 1202). '', hexadecimal value 0x1D, is an invalid character. Line 1, position 1102.

I think the password property should either be decrypted before being put in the response or should be encapsulate in a CDATA tag. I would tend to lean toward decrypting the password - otherwise the web service API doesn't provide a facility to validate the password and change it if necessary.

The XML being returned from the web service for one of the requests is:

HTML Code:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	<soap:Body>
		<GetUserProfileResponse xmlns="http://prezzatech.com/Checkbox/Services">
			<GetUserProfileResult>
				<SimpleNameValueOfObjectObject>
					<Name xsi:type="xsd:string">UniqueIdentifier</Name>
					<Value xsi:type="xsd:string">testuser</Value>
				</SimpleNameValueOfObjectObject>
				<SimpleNameValueOfObjectObject>
					<Name xsi:type="xsd:string">UserName</Name>
					<Value xsi:type="xsd:string">testuser</Value>
				</SimpleNameValueOfObjectObject>
				<SimpleNameValueOfObjectObject>
					<Name xsi:type="xsd:string">Email</Name>
					<Value xsi:type="xsd:string">testuser@example.com</Value>
				</SimpleNameValueOfObjectObject>
				<SimpleNameValueOfObjectObject>
					<Name xsi:type="xsd:string">GUID</Name>
					<Value xmlns:q1="http://microsoft.com/wsdl/types/" xsi:type="q1:guid">34986b00-9013-4b06-a014-bfe25219a265</Value>
				</SimpleNameValueOfObjectObject>
				<SimpleNameValueOfObjectObject>
					<Name xsi:type="xsd:string">Password</Name>
					<Value xsi:type="xsd:string">_M?;Z?e?&#x1D;?'?????</Value>
				</SimpleNameValueOfObjectObject>
			</GetUserProfileResult>
		</GetUserProfileResponse>
	</soap:Body>
</soap:Envelope>

This is the stack trace at the point of the exception:

Code:

   at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
   at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at UserManagementServiceProxy.GetUserProfile(Guid contextToken, String userIdentity)
   at CheckboxTester.CheckboxTesterForm.GetUserProfile(String UserID)
   at CheckboxTester.CheckboxTesterForm.GetProfileFromForm()

[jrjespersen]

Have you been able to confirm if this is a problem?

[ncushing]

I haven't personally confirmed it, but it does make sense. Passwords are actually hashed, so there is no way to get the plaintext password once it has been hashed. The hash converts the password into a byte sequence that has values that fall outside the utf-8 encoding space, so CDATA wouldn't fix the issue. We would either have to not include the value or look into base64 encoding the XML messages, which may have it's own set of issues.

[jrjespersen]

I would vote for not returning the password as part of getting the user profile. We prefer to change password data separately from changing profile data - and we're not modifying existing password data with our custom application.

I can see situations where changing passwords through the web service would be desirable, though, so perhaps a separate method for password manipulation would be in order? In our case, though, we prefer not to know the user's password, so returning the password through a web service method doesn't give us anything - we'd prefer to use a web service method through which we'd pass the password data (in plain text over SSL) for changing passwords.