J
JohnMSyrasoft
I have a question regarding the storage and encryption of connection string
data within an ASP .Net application that I am writing. I am using ASP .NET
2.0 and have just recently downloaded the latest CTP Beta 2 version of
Whidbey. After some trial and error, I am faced with three options and would
like to know what would be the best way to proceed.
Option 1:
My original idea was to do things a little differently by storing my
appSettings in a different file using the convenient external linking
capability in the web.config file:
<appSettings file="filename.config">
My connection string information is stored under the appSettings section. I
purposely wanted to leave out appSettings from the web.config file.
So my filename.config looks something like this:
<appSettings>
<add key=â€ConnectString†value=â€connectstringvalue….â€></add>
<add key=â€secondkey†value=â€secondvalueâ€></add>
<add key=â€thirdkey†value=â€thirdvalueâ€></add>
</appSettings>
My question is, can I have the best of both worlds by using this external
linkage capability as well as using the ConfigurationManager in this code to
encrypt my appSettings:
Public Sub EncryptAppSettings(ByVal protectionProvider As String)
'---open the web.config file
Dim config As System.Configuration.Configuration =
ConfigurationManager.OpenWebConfiguration(_virtualAppPath)
'---indicate the section to protect
Dim section As ConfigurationSection = _
config.Sections("appSettings")
'---specify the protection provider
If Not section.SectionInformation.IsProtected Then
section.SectionInformation.ProtectSection(protectionProvider)
'---Apple the protection and update
config.Save()
End If
End Sub
The problem is that "config.Save()" dumps all my appSettings directly into
web.config.
So first of all, is this option even possible? If so, then what am I doing
wrong or not doing at all? If this is not feasible, then I think it leaves me
to choose between Option 2 & Option 3.
Option 2:
Instead of using the ConfigurationManager for encryption/decryption, I would
write my own encryption/decryption methods that use the classes in the
System.Xml and System.Security.Cryptography namespaces to access my
connection string key in my appSettings file, and then encrypt or decrypt it.
I would call these methods any place within my application where the data
needs to be accessed via the connection string.
Option 3:
Instead of storing my connection string information under appSettings, I
would revert back to storing it in my web.config file under the
<connectionStrings> tag and use the following code whenever it needs to be
replaced with a new encrypted connection string:
Dim connectString As New ConnectionStringSettings
ConfigurationManager.ConnectionStrings.RemoveAt(0)
connectString.Name = "EarltonConnection"
connectString.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & smsPath & ";Persist Security Info=True;Jet OLEDBatabase
Password=holly"
ConfigurationManager.ConnectionStrings.Add(connectString)
Me.EncryptConString("RSAProtectedConfigurationProvider")
End Sub
-------------------------------------------------------------------
Public Sub EncryptConString(ByVal protectionProvider As String)
'---open the web.config file
Dim config As System.Configuration.Configuration =
ConfigurationManager.OpenWebConfiguration(_virtualAppPath)
'---indicate the section to protect
Dim section As ConfigurationSection = _
config.Sections("connectionStrings")
'---specify the protection provider
If Not section.SectionInformation.IsProtected Then
section.SectionInformation.ProtectSection(protectionProvider)
'---Apple the protection and update
config.Save()
End If
End Sub
Correct me if I am wrong, but option 3 would remove the need to have to
write my own decryption function since automatic decryption occurs for
controls that need to connect to the database, and also due to the fact that
I am not technically changing the connection string (I would not be allowed
to anyway since it is a ReadOnly property) but replacing it with a new one.
Please advise which of the three options would be the best in terms of
security and feasibility(Ideally I would like to use Option 1, leaving out
the connection string from my web.config file, but from my own experience, it
will not seem to work) Thank you,
Sabeeh
data within an ASP .Net application that I am writing. I am using ASP .NET
2.0 and have just recently downloaded the latest CTP Beta 2 version of
Whidbey. After some trial and error, I am faced with three options and would
like to know what would be the best way to proceed.
Option 1:
My original idea was to do things a little differently by storing my
appSettings in a different file using the convenient external linking
capability in the web.config file:
<appSettings file="filename.config">
My connection string information is stored under the appSettings section. I
purposely wanted to leave out appSettings from the web.config file.
So my filename.config looks something like this:
<appSettings>
<add key=â€ConnectString†value=â€connectstringvalue….â€></add>
<add key=â€secondkey†value=â€secondvalueâ€></add>
<add key=â€thirdkey†value=â€thirdvalueâ€></add>
</appSettings>
My question is, can I have the best of both worlds by using this external
linkage capability as well as using the ConfigurationManager in this code to
encrypt my appSettings:
Public Sub EncryptAppSettings(ByVal protectionProvider As String)
'---open the web.config file
Dim config As System.Configuration.Configuration =
ConfigurationManager.OpenWebConfiguration(_virtualAppPath)
'---indicate the section to protect
Dim section As ConfigurationSection = _
config.Sections("appSettings")
'---specify the protection provider
If Not section.SectionInformation.IsProtected Then
section.SectionInformation.ProtectSection(protectionProvider)
'---Apple the protection and update
config.Save()
End If
End Sub
The problem is that "config.Save()" dumps all my appSettings directly into
web.config.
So first of all, is this option even possible? If so, then what am I doing
wrong or not doing at all? If this is not feasible, then I think it leaves me
to choose between Option 2 & Option 3.
Option 2:
Instead of using the ConfigurationManager for encryption/decryption, I would
write my own encryption/decryption methods that use the classes in the
System.Xml and System.Security.Cryptography namespaces to access my
connection string key in my appSettings file, and then encrypt or decrypt it.
I would call these methods any place within my application where the data
needs to be accessed via the connection string.
Option 3:
Instead of storing my connection string information under appSettings, I
would revert back to storing it in my web.config file under the
<connectionStrings> tag and use the following code whenever it needs to be
replaced with a new encrypted connection string:
Dim connectString As New ConnectionStringSettings
ConfigurationManager.ConnectionStrings.RemoveAt(0)
connectString.Name = "EarltonConnection"
connectString.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & smsPath & ";Persist Security Info=True;Jet OLEDBatabase
Password=holly"
ConfigurationManager.ConnectionStrings.Add(connectString)
Me.EncryptConString("RSAProtectedConfigurationProvider")
End Sub
-------------------------------------------------------------------
Public Sub EncryptConString(ByVal protectionProvider As String)
'---open the web.config file
Dim config As System.Configuration.Configuration =
ConfigurationManager.OpenWebConfiguration(_virtualAppPath)
'---indicate the section to protect
Dim section As ConfigurationSection = _
config.Sections("connectionStrings")
'---specify the protection provider
If Not section.SectionInformation.IsProtected Then
section.SectionInformation.ProtectSection(protectionProvider)
'---Apple the protection and update
config.Save()
End If
End Sub
Correct me if I am wrong, but option 3 would remove the need to have to
write my own decryption function since automatic decryption occurs for
controls that need to connect to the database, and also due to the fact that
I am not technically changing the connection string (I would not be allowed
to anyway since it is a ReadOnly property) but replacing it with a new one.
Please advise which of the three options would be the best in terms of
security and feasibility(Ideally I would like to use Option 1, leaving out
the connection string from my web.config file, but from my own experience, it
will not seem to work) Thank you,
Sabeeh