Benjamin says that he doesn't like the IPasswordProvider interface in WSE 1.0. I agree with him, it is a little wierd. WSE 2.0 Tech Preview eliminates the interface but the mechanism still remains if you're not using the built-in Windows Authentication model.
We arrived at this model a long while back because of the nature of the PasswordDigest mechanism in the UsernameToken. In the case where a digest is passed we didn't want the application developer to have to understand the algorithm required to calculate the digest and to remember to verify the digest. However, we didn't make a great job of factoring this so that the password is only passed across when it's absolutely needed.
The 2.0 Tech Preview improved things a bit with the SecurityTokenManager model, but still retained the fundamental requirement to hand the password off to WSE. Since the UsernameToken in 2.0 exposes a public ComputePasswordDigest method, we can probably refactor some more to improve this. The encapulated algorithm still requires that the application hands the password into a piece of framework code, if you don't like that then you're probably going to have to do the work yourself if you want to use PasswordDigest.
Posted by herveyw at October 29, 2003 06:33 PM