How to: Secure Connection Strings When Using Data Source Controls
https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-3.0/dx0f3cf2(v=vs.85)
When working with data source controls it is recommended that you centralize the location of your connection strings by storing them in the application's Web.config file. This simplifies the management of connection strings by making them available to all of the ASP.NET pages in a Web application. In addition, you do not need to modify numerous individual pages if your connection string information changes. Finally, you can improve the security of sensitive information stored in a connection string, such as the database name, user name, password, and so on, by encrypting the connection string section of the Web.config file using protected configuration.
This topic describes how to store connection strings in the connectionStrings configuration section in the Web.config file, and how to use the command-line .NET Framework tool to encrypt connection strings for additional security.
To store a connection string in the Web.config file
Open the Web.config file for your application. If a Web.config file does not already exist, create a text file named Web.config and add the following content:
Copy<?xml version="1.0"?>
<configuration
xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings/>
<system.web>
</system.web>
</configuration>
In the configuration element, create a new element named connectionStrings, as shown in the following example:
Copy<?xml version="1.0"?>
<configuration
xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<connectionStrings> </connectionStrings>
<appSettings/>
<system.web>
</system.web>
</configuration>
In the connectionStrings element, create an add element for each connection string you will use in your Web application. Include the attributes shown in the following table.
Attribute Description name
A name for this connection string configuration object. This name will be used by data source controls and other features to reference the connection string information.
connectionString
The connection string to the data source.
providerName
The namespace of the NET Framework data provider to use for this connection, such as System.Data.SqlClient, System.Data.OleDb or System.Data.Odbc.
A completed connectionStrings element might look like the following example:
Copy<connectionStrings>
<add
name="NorthwindConnection"
connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />
</connectionStrings>
Save and close the Web.config file.
You can now reference the connection string for your data source control by referring to the name you specified for the name attribute.
In the ConnectionString attribute for your data source control, use the connection string expression syntax to reference the connection information from the Web.config file.
The following example shows a SqlDataSource control in which the connection string is read from the Web.config file:
Copy<asp:SqlDataSource ID="ProductsDataSource" Runat="server"
SelectCommand="SELECT * from Products"
ConnectionString="<%$ ConnectionStrings: NorthwindConnection %>"
</asp:SqlDataSource>
To encrypt connection string information stored in the Web.config file
At the Windows command line, run the ASP.NET IIS registration tool (aspnet_regiis.exe) with the following options:
The -pe option, passing it the string "connectionStrings" to encrypt the connectionStrings element.
The -app option, passing it the name of your application.
The aspnet_regiis.exe tool is located in the
%systemroot%\Microsoft.NET\Framework\versionNumber folder.The following example shows how to encrypt the connectionStrings section of the Web.config file for an application named
SampleApplication:Copyaspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
When the command has finished, you can view the contents of the Web.config file. The connectionStringsconfiguration section will contain encrypted information instead of a clear-text connection string, as shown in the following example:
Copy<configuration>
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>RSA Key
</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>WcFEbDX8VyLfAsVK8g6hZVAG1674ZFc1kWH0BoazgOwdBfinhcAmQmnIn0oHtZ5tO2EXGl+dyh10giEmO9NemH4YZk+iMIln+ItcEay9CGWMXSen9UQLpcQHQqMJErZiPK4qPZaRWwqckLqriCl9X8x9OE7jKIsO2Ibapwj+1Jo=
</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>OpWQgQbq2wBZEGYAeV8WF82yz6q5WNFIj3rcuQ8gT0MP97aO9SHIZWwNggSEi2Ywi4oMaHX9p0NaJXG76aoMR9L/WasAxEwzQz3fexFgFSrGPful/5txSPTAGcqUb1PEBVlB9CA71UXIGVCPTiwF7zYDu8sSHhWa0fNXqVHHdLQYy1DfhXS3cO61vW5e/KYmKOGA4mjqT0VZaXgb9tVeGBDhjPh5ZlrLMNfYSozeJ+m2Lsm7hnF6VvFm3fFMXa6+h0JTHeCXBdmzg/vQb0u3oejSGzB4ly+V9O0T4Yxkwn9KVDW58PHOeRT2//3iZfJfWV2NZ4e6vj4Byjf81o3JVNgRjmm9hr9blVbbT3Q8/j5zJ+TElCn6zPHvnuB70iG2KPJXqAj2GBzBk6cHq+WNebOQNWIb7dTPumuZK0yW1XDZ5gkfBuqgn8hmosTE7mCvieP9rgATf6qgLgdA6zYyVV6WDjo1qbCV807lczxa3bF5KzKaVUSq5FS1SpdZKAE6/kkr0Ps++CE=
</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
</configuration>
Leave the command prompt open for later steps.
Determine the user account or identity under which ASP.NET runs by retrieving the current WindowsIdentity name.
The following example shows one way to determine the WindowsIdentity name:
C#Copy<%@ Page Language="C#" %>
<%
Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
%>
NoteBy default, on Windows Server 2003 with impersonation for an ASP.NET application disabled in the Web.config file, the identity under which the application runs is the NETWORK SERVICE account. On other versions of Windows, ASP.NET runs under the local ASPNET account.
The user account or identity under which ASP.NET runs must have read access to the encryption key used to encrypt and decrypt sections of the Web.config file. This procedure assumes that your Web site is configured with the default RsaProtectedConfigurationProvider specified in the Machine.config file named "RsaProtectedConfigurationProvider". The RSA key container used by the default RsaProtectedConfigurationProvider is named "NetFrameworkConfigurationKey".
At the command prompt, run the aspnet_regiis.exe tool with the following options:
The -pa option, passing it the name of the RSA key container for the default RsaProtectedConfigurationProvider.
The identity of your ASP.Net application, as determined in the preceding step.
The following example shows how to grant the NETWORK SERVICE account access to the machine-level "NetFrameworkConfigurationKey" RSA key container:
Copyaspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
To decrypt the encrypted Web.config file contents, run the aspnet_regiis.exe tool with the -pd option. The syntax is the same as encrypting Web.config file contents with the -pe option except that you do not specify a protected configuration provider. The appropriate provider is identified in the configProtectionProvider attribute for the protected section.
The following example shows how to decrypt the connectionStrings element of ASP.NET application
SampleApplication.Copyaspnet_regiis -pd "connectionStrings" -app "/SampleApplication"
最新文章
- C#可扩展编程之MEF学习笔记(五):MEF高级进阶
- 哈希 poj 1480
- linux下设置进程优先级方法!
- javaWeb中的/路径问题
- linux之SQL语句简明教程---表格连接
- eclipse-jee 配置tomcat7,解决404错误
- Hadoop RPC机制
- JavaScript跨域请求和jsonp请求实例
- linux开发调试工具---GDB的使用
- POJ_1556_The Doors_判断线段相交+最短路
- QinQ 简介
- Django学习手册 - 登录验证码
- vue WepApp 音乐App实战以及各个知识点
- 大型运输行业实战_day11_1_aop理论与aop实际业务操作
- 1.5.6、CDH 搭建Hadoop在安装之前(定制安装解决方案---使用Cloudera Manager模板创建CDH群集)
- rename 批量修改文件名简单用法
- 《构建高性能web站点》读书笔记:CPU/IO并发策略
- FileStream 和StreamWriter 一起用时
- weblogic在linux和window下的安装
- html基础整理(02浮动 问题)