Use of ConfigurationProviders to protect connection string


In a web application, an ideal way to store the connection string is using web.config file.
web.config consist of several section one of them is connectionStrings. Storing connection string in
a plain text can be risky to some extent. .Net framework has provided a mechanism using which you can protect
your connection string. So that if accidentally anyone breach into your system and get an access to web.config file,
the connectionString is not reachable to that person.

Let's take a look at this with an example;
1. Create a web site project using Visual Studio.

2. To have a connection string, we will use GridView control. Open default.aspx in design mode.
3. Go to toolbox and drag a gridview control onto the form and set it's datasource as per your database object.
4. The code behind will now look like this.
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
            DataKeyNames="DeptID" DataSourceID="SqlDataSource1" 
            EnableModelValidation="True">
            <Columns>
                <asp:BoundField DataField="DeptID" HeaderText="DeptID" InsertVisible="False" 
                    ReadOnly="True" SortExpression="DeptID" />
                <asp:BoundField DataField="DeptName" HeaderText="DeptName" 
                    SortExpression="DeptName" />
            </Columns>
        </asp:GridView>
        <asp:SqlDataSource ID="SqlDataSource1" runat="server" 
            ConnectionString="<%$ ConnectionStrings:MySampleDBConnectionString %>" 
            SelectCommand="SELECT [DeptID], [DeptName] FROM [Department]">
        </asp:SqlDataSource>

5. web.config file will then be reflected with the <connectionStrings/> section which is in readable format.
6. Now to protect the connectionString, open default.aspx.cs file and add these 2 functions.
private void EncryptConnString(string protectionMode)
    {
        Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
        ConfigurationSection section = config.GetSection("connectionStrings");
        section.SectionInformation.ProtectSection(protectionMode);
        config.Save();
    }

    private void DecryptConnString()
    {
        Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
        ConfigurationSection section = config.GetSection("connectionStrings");
        section.SectionInformation.UnprotectSection();
        config.Save();
    }

7. In page_load function give call as,
Either
EncryptConnString("RSAProtectedConfigurationProvider");
OR
EncryptConnString("DataProtectionConfigurationProvider");

8. For DataProtectionConfigurationProvider, the connectionString section will be then modified as,

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
      <CipherData>        <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAPZoPJPL7WU2bSGOa18BMVwQAAAACAAAAAAADZgAAqAAAABAAAAAfUh8QAdOcGZJJNc+9QTbJAAAAAASAAACgAAAAEAAAAPlnxynAFzHQ+uS2csFRjO+4AQAAtmWRrXO0QUf9a4haoioMng7gQuAyIBI2q0XJS3j4PwwVLRU+jLwg0CbvFjsrAg6uQG48ooiJO/IaRC9KGnPp2bAFSJZBDsE7UKGN9aa8tC1XqzEn4pzDKsybx1rlJUPE5pX+dfY/oa7PEbrNsqS0OcIiEFWJtvGlKFLmNAXN0CEiSz0AiMMIrqYtFZFNkJyCcqY7InuwqvburYnMTUX5NPco/zeJw+in3CcBaymsMc/9MPe5IwcKJBDOaH2ay8Rt+O3RXdvrCC0TalJlt/l2N4Hd3HPX/6YIUS2vWxIXlwiDT442sjLHUKFiXW2waDUHQx91vfDF9AxX4G4N3O0grr4CyG3OVz4KVHXskDqdStzCeKQQNeQp4et6ldrJjk50aHpmOlVYpV/ilhdanKDRYmwRSiHtv/F6VWyYBpa9MBbfKhS3fAX/pYohjesiUmUKz0J9h4T2Vkyd+WD6eiIMs/giPimaYtiwJFrh8fb1/9BbsPXfFU7dbh22P3s0BZI5cilQxcto/4aNgMhMmMAGRN23jEMK6kzTiLD75WSxnlMZryyr4UqUlaGdI0tLF+GB6Kqro7BmkQ8UAAAA64RcPSpRfxsAIuu5N+rLu92Dd7c=</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>

9. If you make use of RSAProtectedConfigurationProvider the section will look like,

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>dAlnD1WJk7imw0yfupREP4ifSHMaJm1cKHVwHQXPRoThnIVtTT3j+svOrELJeIV6gs+KuEdglhhQQo7VBlmQwfcOXxcqyd4/YjAE+Q45YSAI23gQ5Y5WOQU5pvyNyqZJR4XJN2eWzZ6ZBVyTVqiZ9fVEsamPF0R1oesh9CNMD+8=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>cEPk5EBd58MjInYNrh1oGHp5KH4S4vocyUrPnK5Z/aCaehRxio/XE+IK6GnrvpltQRlZv6fzy/RlrDDpI4uHF0U87kbIYCa9/RbBwlmg4Z14IMuCFpWuBjA+fBqkRiWTn5+6bXxHyS+3WC30kNumxKxSuk5unfvLdD5G7Ei4w1wITwR27zG9MIxJm3UYAYQ8FuDCLloXZEuULRyvB0F9z56eWxcpPU/8koYu7l6siZ5tKO674zZEOp1pzhDEElBcN1o0onFJ0rjJse3lOIAveRFQ5bg35MkjmEYYrSCKLQC1hJ6E4hvfvw==</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>




No comments:

Post a Comment

Labels

.net .Net Instrumentation logging .net localization Agile amazon amazon elasticache amazon services AppDomain Application Domain architecture asp ASP.Net authentication authentication mechanisms Byte order mark c# cache canvas app cdata certifications class classic mode cloud cloud computing cluster code-behind Combobox compilation Configuration providers configurations connection connectionString constructors control controls contructor CSV CTS .net types conversion database DataGridView DataSource DataTable DataType DBML delegates design pattern dispose double encoding Entity framework Events exception handling expiry fault contracts fault exceptions function pointers functions generics help HostingEnvironmentException IIS inner join instance management integrated mode javascript join left outer join LINQ LINQ join LINQ to SQL memory leak methods microsoft model driven app modes in IIS MSIL multiple catch blocks no primary key Nullable Osmos Osmotic Osmotic communication Osmotic communications page events page life cycle partial class PMI powerapps preserve precision points private contructor ProcessExit Project management properties property protect connectionString providerName providers query regular expression repository Responsive Web Design return type run-time RWD Saas self join session session expiry sessions singelton singleton pattern software as a service source control system SQLMetal string toolstrip ToolStrip controls ToolStripControlHost tortoise SVN ToString() try catch finally update wcf web application web design web site web.config where-clause xml

Pages