app.config中的ConnectionStrings.那么安全性呢? [英] ConnectionStrings in app.config. What about security?
问题描述
在app.config文件中放置带有密码的连接字符串真的很好吗?
Is it really a Good Thing to put connection strings with passwords in the app.config file?
在我看来,app.config并未以任何方式进行加密,并且可以轻松读取密码信息.
It seems to me that the app.config is not encrypted in any way and the password information can be easily read.
我有一个应用程序,该应用程序访问一个预期的最终用户没有身份验证的数据库.使用组用户/密码.仅当当前Windows用户位于Active Directory组中时,应用程序才会启动.因此,一旦进入应用程序,就可以使用组用户允许用户连接到数据库.
I have an app which accesses a database for which the intended end-user have no authentication. A group user/password is used. The application only starts if the current windows user is in an Active Directory group. So, once in the app, the user is allowed to connect to the DB using the group user.
处理此类连接字符串的正确方法是什么?将它们隐藏在源代码中?
What would be the correct way to handle such connection strings? Hide them in the source code?
注意这是用于独立应用程序-不适用于ASP,IIS等
NOTE this is for a stand-alone app - not ASP, IIS etc
这对我有用
(thanks to Jon Galloway - http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx)
private void EncryptConfigSection()
{
Configuration config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
ConfigurationSection section = config.AppSettings;
if (section != null)
{
if (!section.SectionInformation.IsProtected)
{
if (!section.ElementInformation.IsLocked)
{
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
}
}
}
}
这是通过在应用程序首次运行时对exe配置文件进行加密来实现的.在安装过程中,我还没有找到执行此操作的方法,因此在首次启动应用程序之前,配置文件是完全可读的.也许有人有主意...
This works by encrypting the exe config file the first time the app runs. I haven't found a way of doing this as part of the installation process so the config file is fully readable until the app is started for the first time. Perhaps someone has an idea...
推荐答案
您可以加密app.config或web.config文件的一部分,请参见
You can encrypt parts of the app.config or web.config file, see for example this post for more information.
具体来说,此MSDN文章进行了介绍各种保护连接字符串的方法.
Specifically, this MSDN article walks through various ways of securing connection strings.
这篇关于app.config中的ConnectionStrings.那么安全性呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
