I am attempting to rework the AccountController in the MVC4 default template so it uses CSLA rather than SimpleMembership because SimpleMembership didn't meet my requirements.
I am replacing the command-based architecture with CSLA business objects. Right now I am working with the UserRegister business object, which codifies the Register User scenario.
However, I have run into a snag in that I want to validate that the user entered a password and a confirm password field that matches, but I don't want to send these two values to the DataPortal (there is a business rule attached to these properties that automatically fills in PasswordHash and PasswordSalt properties when a password is entered).
I don't want to encrypt the connection or the channel to the dataportal - I just want to ensure that the password values are not in the request at all. So, what is the best approach to achieve this?
Clarification: If the DataPortal is running on the client, there is no issue - I just want to eliminate these values from the serialization stream if they are sent across the network. At the same time, I want to ensure validation still passes. Note that I also want to use the real password value for the login scenario that is executed in the same request, so I will also need client-side (controller) access to the password value.
I am using MVC4, .NET 4.5, and CSLA 4.5.20.