如何避免C＃中Web配置文件中的硬编码密码 [英] How to avoid hardcoded password in web config file in C#

问题描述

Name and password information should not be included in a configuration file in plaintext as this will allow anyone who can read the file access to the resource.
    
I want to Encrypt the config file and How to avoid Hardcoded password in Config file?

What I have tried:

<pre><connectionStrings>    
<addname="cs"connectionString="DataSource=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=XXSDFASFDKD;"/>
</connectionStrings>

推荐答案

这不是一个严重的问题，除非你允许每个人看看文件中写了什么。

This is not a serious issue, unless you are allowing everybody to see what is written in the file.

<connectionStrings>    
    <addname="cs"connectionString="DataSource=myServerAddress;Initial Catalog=myDataBase; User Id=myUsername; Password=XXSDFASFDKD;"/>
</connectionStrings>

当您将这些值存储在版本控制中，或者允许每个人阅读您的生产配置时，可能会遇到此方法的问题。



我用其他一些方法来解决这个问题。大多数基于云（以及其他）的托管解决方案都提供环境配置设置。您可以使用它，也可以在部署时重写配置文件，例如https://docs.microsoft.com/en-us/previous-versions/aspnet/dd465326(v=vs.110），或者您可以使用命名约定，如 web.config 和 web.Release.config 。这样，您只能签入web.config，并将web.Release.config版本保存在安全的地方 - 如果您当然不信任您的开发人员。



我做的是，我使用环境变量在运行时加载这些值，并将它们转发给类型加载器和初始化器。这样，我只在托管服务上配置了生产值，本地工程师只能看到自己的系统级配置。除此之外，没有问题，请记住，加密只会夸大问题，而不是解决问题 - 尝试体验它。



看看这个视频，了解如何，https：//www.youtube.com/watch？v = McCcsbM7_2aE

The problem with this approach can come, when you either store these values inside your version control, or you allow everybody to read your production configurations.

I have used some other methods to overcome this problem. Most of the cloud based (and others too) hosting solutions provide environment configuration settings. You can use either that, or you can rewrite the configuration files upon deployment, something like this, https://docs.microsoft.com/en-us/previous-versions/aspnet/dd465326(v=vs.110), or you can use naming convention like web.config and web.Release.config. This way, you will only check-in web.config, and keep the web.Release.config version somewhere safe—if you of course don't trust your developers.

What I did was, I loaded these values on runtime using environment variables, and forwarded them to the type loaders and initializers. This way, I had the production values configured only on the hosting service, and local engineers only see their own system-level configurations. Other than that, there is no problem, and remember, encryption will only exaggerate the problem, instead of solving it—try it to experience it.

Check out this video to understand how, https://www.youtube.com/watch?v=MkcsbM7_2aE

请参阅此处的文章：如何使用aspnet_regiis加密Web.config .exe（Framework 4+）专注于Web农场 [ ^ ]

这里：使用ASP.NET以编程方式加密和解密web.config中的配置节DotNetCurry [ ^ ]

See article here: How to Encrypt Web.config Using aspnet_regiis.exe (Framework 4+) Focus on Web Farms[^]
And here: Programmatically Encrypt and Decrypt Configuration Sections in web.config using ASP.NET | DotNetCurry[^]

我们如何做到这一点。连接到db的所有Web应用程序都使用Windows身份验证。我们创建一个应用程序运行的服务帐户。这是在分配给Web应用程序的应用程序池中配置的。

This how we do it. All web applications that connect to a db use windows authentication. We create a service account that the application runs under. This is configured in the application pool assigned to the web application.

这篇关于如何避免C＃中Web配置文件中的硬编码密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！