I am having the following problem. I have an ASP.NET (VB.NET) application that is trying to connect to Amazon Web services using the AWS .NET SDK, and in order to do that the user is entering their Access and secret key. I am then adding the key to configuration like so:
Dim config As Configuration = WebConfigurationManager.OpenWebConfiguration("~")
Dim settings As KeyValueConfigurationCollection = config.AppSettings.Settings
settings("AWSAccessKey").Value = AmazonAccessKeyText.Text
settings("AWSSecretKey").Value = AmazonSecretKeyText.Text
config.Save(ConfigurationSaveMode.Modified)
ConfigurationManager.RefreshSection("appSettings")
While this successfully modifies the web.config file, it still throws an exception at runtime saying that it can't find the Access key. Can anyone tell me what I am doing wrong?
If I understand correctly you have as ASP.NET application that connects to the AWS on the clients behalf, if so storing the clients credentials locally might be the best idea from a security point of view.
You can either
Only store the credentials in memory in the session only when needed in something like a SecureString
Store them encrypted on the disk using any crypt apis.
The amazon sdk doesn't need the credentials stored in the app/web.config. If you look at something like AWSClientFactory.CreateAmazonS3Client , you will notice that you can pass them as parameters to this function
Probably, it is better to keep your received in key in Application object? for example static.
It is much clearer and simpler and will not cause a recycle of application when web.config is modified
Related
I am using Environment.GetEnvironmentVariable but getting null
var data = Environment.GetEnvironmentVariable("variableName");
Console.WriteLine(data);
I know I am missing something but don't know why. I want to use these variables in my code and not store them in a setting.json file
I want to use these variables in my code and not store them in a setting.json file
This is not the purpose of Azure DevOps variable groups. Do not try this approach.
Variable groups are intended to store pipeline configuration values and secrets, not application configuration. As an example of how this is an incorrect usage of variable groups, the REST APIs do not and cannot return secret values. Secret values are only available in pipelines.
You should use a real configuration store solution, such as Azure App Configuration in conjunction with Azure KeyVault.
I have been requested from my partner to use his API, and to use this API, I should encrypt all sent data to AES 256. He shared a .jks file with me, in addition to some parameters with values like (Alias, KEYSTORE_PASSWORD and KEY_PASSWORD), then he told me that the password which I should use for encryption is stored in that JKS file, and to open it, I should use the pre-shared parameters.
So, how can I reach that?
UPDATE ...
This is not a web service am trying to invoke, I just need to get the Password which is stored in the JKS file, so, I am not going to invoke an API or import a certificate into my client app. So, it doesn't matter if opening the app by C# or any other tool, i just need to get the password in order to use it later in encrypting some data.
I opened the given file by using KeyStore Explorer, then I imported the file into the app and providing it with all shared info like KeyStore_Password and Key_Password. Eventually, it opens.
I know that is away off C#, but all what I needed is to get the Password which is stored in that file, and this was my first time to deal with something like that.
But you cannot access "TrustedCertEntry". It is a restriction.
See: https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs
I am trying to configure some key/value pairs for my Azure web application using app settings section on Windows Azure preview portal.
Now I am trying to read values like below
ConfigurationManager.AppSettings["MyWebApp.DbConnectionString"];
but it returns null values.
Reading app settings from Web.config in my web application works fine.
I found the solution.
Keep values in web.config as well as in Azure App setting. When you are running/debugging application on your local environment it picks values from web.config.
When you deploy application on Azure it picks values from App setting.
//Below code work for both.
ConfigurationManager.AppSettings["KeyName"]
Keep key name same in web.config as well as in Azure app setting.
In Azure, there are a few different ways of retrieving Application Settings and Connection Strings. However, connection strings work a little differently than vanilla application settings.
Application Settings can be retrieved by any method, regardless of whether or not they are present in the Web.config file.
Connection Strings can also be retrieved by any method if the string is defined in Web.config. However, if the connection string is NOT defined in Web.config, then it can only be retrieved using the Environment Variable method.
Retrieving as Environment Variable
Environment.GetEnvironmentVariable("APPSETTING_my-setting-key");
Environment.GetEnvironmentVariable("SQLAZURECONNSTR_my-connection-string-key");
Note that the keys must be prepended with a string designating their type when using this method.
All Application Settings use the APPSETTING_ prefix.
Connection Strings have a different prefix depending on the type of database selected when creating the string in the portal:
"Sql Databases" --> "SQLAZURECONNSTR_my-connection-string-key"
"SQL Server" --> "SQLCONNSTR_my-connection-string-key"
"MySQL" --> "MYSQLCONNSTR_my-connection-string-key"
"Custom" --> "CUSTOMCONNSTR_my-connection-string-key"
For a full overview, see the Windows Azure Web Sites documentation.
System.Environment.GetEnvironmentVariable("SERVICEBUS_CONNECTION")
works great!
First off, this is an educational question - not something I am implementing in a productional application since I am learning the basics of C#.
Currently I have a solution containing 2 (actually 3, but one is unit testing) projects;
Form
Class Library
Inside the Class Library I have a class called Database.cs and it communicates with a MySQL database. I don't directly communicate with this Database.cs class, but other classes inside the Class Library do (for example Products.cs).
Though, I need credentials to connect to this MySQL database and I am not sure which way to go to do it safely.
Storing it inside the Class Library / hard-coding the credentials inside the class.
This wouldn't make sense to me since a user can easily grab the DLL and he technically got the credentials to the database.
Pass the credentials through the form to a class (like Products.cs) and that class passes it on while initializing the Database object
Could work, tried and it works but I am not sure if this is the 'neatest' way to do it.
Write a static class that contains properties with the credentials
Again, if I create this static class inside the Class Library I am pretty much off the same as my first example. If I would create this static class inside the Form, I require to add a reference to the Form-project from my Class Library (not the way I want it to be).
I tried looking stuff up but I am apparently not doing it right. Is there any other way to do this?
First of all never hard-code credentials into code because credentials tend to change over time so that means you will have to recompile and redeploy your application each time SQL credentials change.
Usually all information needed to connect to database is stored in application configuration file in a form of connection string.
If your application is web application then you're good to go because web.config (a web application configuration file) is stored on a web server and is never served to web requests.
But if your application is windows forms application, then security considerations kick in meaning that any user who uses your app could peek into application configuration file and get credentials. If it would be Microsoft SQL I would advise to use Windows Authentication. But with MySQL I guess you're doomed to store user name and password into connection string. Then I would suggest securing your connection string by encrypting it.
Also if your users can/have to authenticate against MySQL server (enter MySQL username and password), then you could use a connection string template and substitute certain parts of it with user name and password:
app.config
<connectionStrings>
<add name="MyApplication" connectionString="Location=myServerAddress;Data Source=myDataBase;User ID={0};Password={1};
Port=3306;Extended Properties=""""; />
</connectionStrings>
C# code
var username = textboxUsername.Text;
var password = textboxPassword.Text;
var connectionString = string.Format(ConfigurationManager.ConnectionStrings["MyApplication"].ConnectionString, username, password)
// at this point you have a connection string whitch could be passed to your Products class
Do not hardcode your credentials as that may prove to cause issues, firstly if you need to change your login credentials to the database at a later stage then you will have to recompile your class library, secondly as you mention the security will be compromised.
It is a good technique to leave the connection information to the main application instead of storing them in your data layer. Refactor your data layer to accept the connection string during runtime, this value needs to be passed by the main application to the data access layer.
This way you get 2 advantages:
When you deploy your application, the deployed location can have a different connection credential than your development environment
You can encrypt connection strings in your configuration file so as to increase security
I'm developing a .NET Framework 4.0 based Windows application.
I have a requirement of distributing this window application, along with source code to client.
When I test I'm using my own database credentials.
So I want a method to somehow hide the app.config details.
For this, I tried with encrypting values in app.config but faced an issue with token keys.
While researching about it, I found that I can use:
System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration.
But that again required username and password for accessing remote server and don't want to show them to the client.
So for this I planned to read web.config hosted on IIS 7.5 Server.
Could you please help me in that context?
Or if you have better ideas to achieve the objective, do share.
The code is designed to be very close in syntax to the usual method used for accessing web.config from a web app. Pass the constructor the location of the web.config file you wish to parse and then use the AppSettings method to obtain the desired value;
string filename = #"c:\temp\Web.Config";
UK.Org.Webman.ConfigurationSettings ConfigurationSettings =
new UK.Org.Webman.ConfigurationSettings(filename);
string PrimaryDatabase = ConfigurationSettings.AppSettings["PrimaryDatabase"];