Hi,

We currently use the connectionstring approach of DO to connect to the DB. This has a severe security setback as the password which is used to connect is readable in the connectionstring.

How can we protect the password in the connectionstring?

Regards
Paul Sinnema
Diartis AG

asked Jan 05 '11 at 09:31

Paul%20Sinnema's gravatar image

Paul Sinnema
261888896

edited Jan 05 '11 at 23:09

Alex%20Yakunin's gravatar image

Alex Yakunin
29714412


2 Answers:

According to the community feedback on this proposal, it is implemented in the stable branch and will be available soon.

answered Jan 24 '11 at 05:58

Dmitri%20Maximov's gravatar image

Dmitri Maximov
22111211

Hello Paul,

I believe that DataObjects.Net as well as any other ORM is not responsible for securing connection strings, however I might be wrong. Nevertheless, I'd try the following approach:

1. Encrypt the required connection string with encryption method you prefer and put it in web.config/app.config file in encrypted form.

2. Load DomainConfiguration through standard API:

var config = DomainConfiguration.Load("mydomain");

3. Set config.ConnectionInfo property with decrypted connection string

config.ConnectionInfo = new ConnectionInfo("sqlserver",
  DecryptMyConnectionString(encryptedConnectionString));

4. Build Domain with the config.

P.S.
I suppose that the standard ASP.NET approach will also work.

answered Jan 05 '11 at 09:59

Dmitri%20Maximov's gravatar image

Dmitri Maximov
22111211

edited Jan 05 '11 at 10:03

Hi Dmitri,

We've written a little program that reads the entire App.config and looks for the connectionstring in the domain tag. Using encryption we de-/encrypt the connectionstring. When it is encrypted it is surrounded by '{}' when not it is not surrounded. In our program we test the connectionstring for starting with '{' and ending with '}' and decrypt when needed. This way our application is capable of working with both en- and decrypted connectionsstrings. Super!

(Jan 11 '11 at 02:34) Paul Sinnema Paul%20Sinnema's gravatar image

I don't completely agree with you concerning:

'I believe that DataObjects.Net as well as any other ORM is not responsible for securing connection strings'

When one uses the standard connectionstring there is functionality in the Configuration that can un-/lock a connectionstring. That makes en-/decrypting quite easy. Because the connectionstring is in a custom DO tag we can not use this functionality. What I would expect of DO is an easy read/write access to the connectionstring.

(Jan 11 '11 at 02:37) Paul Sinnema Paul%20Sinnema's gravatar image

But there is nothing preventing you from getting encryptedConnectionString on step 3 from standard configuration section.

I.e.:

var config = DomainConfiguration.Load("mydomain");
var connectionString = ...; // Read it by any way you like
config.ConnectionInfo = new ConnectionInfo(
  "sqlserver", connectionString);
...
(Jan 11 '11 at 03:42) Alex Yakunin Alex%20Yakunin's gravatar image

Hello Paul, please take a look at this idea, we need your feedback.

(Jan 13 '11 at 21:47) Dmitri Maximov Dmitri%20Maximov's gravatar image

DataObjects.Net 4.3.7 & 4.4 beta 2 with this feature is released.

(Jan 29 '11 at 04:23) Dmitri Maximov Dmitri%20Maximov's gravatar image
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!
toggle preview

Subscription:

Once you sign in you will be able to subscribe for any updates here

Tags:

×574
×9

Asked: Jan 05 '11 at 09:31

Seen: 5,312 times

Last updated: Jan 29 '11 at 04:23

powered by OSQA