Password validator for MembershipProvider?

I would like to validate a password field for creating / updating users in asp.net (.net 3.5). The password will be used for a MembershipProvider.

What is the best way to implement this so that the validation will use the configuration settings of the membership provider? Of course I can just write the code, but this seems like something so fundam开发者_开发技巧ental that there must be a drop-in way to do it.

[edit] clarified that this is a password field for new users or for changing passwords, so ValidateUser doesn't help.

I would say the answer is no, based on the fact that the SqlMembershipProvider doesn't call a password validation method in its ChangePassword and CreateUser methods. Using Reflector, you can see that it runs through the same set of checks in both methods (see below). So I'd say that writing your own function as you are doing is the way to go.

if (newPassword.Length < this.MinRequiredPasswordLength)
{
    throw new ArgumentException(SR.GetString("Password_too_short", new object[] { "newPassword", this.MinRequiredPasswordLength.ToString(CultureInfo.InvariantCulture) }));
}
int num3 = 0;
for (int i = 0; i < newPassword.Length; i++)
{
    if (!char.IsLetterOrDigit(newPassword, i))
    {
        num3++;
    }
}
if (num3 < this.MinRequiredNonAlphanumericCharacters)
{
    throw new ArgumentException(SR.GetString("Password_need_more_non_alpha_numeric_chars", new object[] { "newPassword", this.MinRequiredNonAlphanumericCharacters.ToString(CultureInfo.InvariantCulture) }));
}
if ((this.PasswordStrengthRegularExpression.Length > 0) && !Regex.IsMatch(newPassword, this.PasswordStrengthRegularExpression))
{
    throw new ArgumentException(SR.GetString("Password_does_not_match_regular_expression", new object[] { "newPassword" }));
}

Roll your own provider, inherited from the built-in one:

public class SqlMembershipProvider : System.Web.Security.SqlMembershipProvider
{
    // called on login attempt
    public override bool ValidateUser(string userName, string password)
    {
        // do your logic

        // use built-in properties, parsed by base class for you, such as:
        if (password.Length < this.MinRequiredPasswordLength)
        {
        }

        //if ok, then:
        base.ValidateUser(userName, password);
    }

    // called on new user creation attempt
    public override MembershipUser CreateUser(string userName, string password, string email, string passwordQuestion, string passwordAnswer, bool isApproved, object providerUserKey, out MembershipCreateStatus status)
    {
        // do your logic

        //if ok, then:
        base.CreateUser(...);
    }

What exactly do you mean by validate?

There is a way to require the password be a certain length, and make it complex ( i.e. 6 alphanumerical, 6 nonalphanumerical) but I don't have access to my notes on the subject.

This would all be done in the configuration file for the application itself. I would have to agree you need to use your own function, there is no reason not to do this, since I would assume you want to extend the default behavior.

I did a quick google search, found what I was thinking about, although my notes are more in-depth.

<membership defaultProvider="SqlProvider"
  userIsOnlineTimeWindow = "20>
  <providers>
    <add
      name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="SqlServices"
      requiresQuestionAndAnswer="true"
      minRequiredPasswordLength="7"
      minRequiredNonalphanumericCharacters="1"
      />
  </providers>
</membership>

I should be clear if you want to do anything beyond "Verifies that the specified user name and password exist in the data source." you need your own provider.

I honestly don't understand the reason you do not want to use your own provider....