Launch Workflow Interactive and Secure String doesn't work

uiautomation
activities

#1

Scenario: Launch Workflow Interactive and passing passwords via Dictionary as Secure String

Steps to reproduce: When we launch a xaml using Invoke Workflow, we are passing a dictionary of application passwords as input argument. These passwords are working when the workflow is invoked using “Invoke Workflow”, but doesn’t work when launched using “Launch Workflow Interactive”

Current Behavior: Secure passwords are not getting typed using Type secure or converted to plain text when used with System.Net.NetworkCredential

Expected Behavior: Secure string should work irrespective of invoke methods

Studio/Robot/Orchestrator Version: 2017.1.6522

Last stable behavior:
Last stable version:
OS Version: Windows 7 64bit
Others if Relevant: (workflow, logs, .net version, service pack, etc):


#2

I think Secure string cannot be serialized, only serializable types can be used in Invoke workflow Interactive.


#3

Correct.

Serializing a SecureString would go against its design principles (it would also need to store salt/key needed for deserialization, defeating the whole purpose).

LaunchWorkflowInteractive starts a robot worker as a separate process, hence everything needs to be serialized on one end and deserialized on the other (different processes don’t share memory space).

Putting those 2 together, SecureString cannot be used with LaunchWorkflowInteractive by design and thus this issue cannot be “fixed”, since it’s not an actual bug.

Workaround - use GetCredentials (either from local or Orchestrator asset) where you need them.

Personal sidenote/IMHO - passing credentials all over the place in settings dictionary is a bad idea anyway. These are by definition sensitive and should be available only during login/authentication phase, and disposed of straight after. Overhead of requesting 1 asset with login sequence is miniscule when compared to headache of making sure they’re not used inappropriately anywhere else.


#4

@andrzej.kniola I agree to your points on the credentials being passed along. We were using an approach to get credentials based on whether the process is executing from Orchestrator or as NOT and pick the credentials appropriately (from local store vs assets). Will keep your feedback in mind when we design the next processes. Appreciate your response.