Hi, We currently use the connectionstring approach of DO to connect to the DB. This has a severe security setback as the password which is used to connect is readable in the connectionstring. How can we protect the password in the connectionstring? Regards |
According to the community feedback on this proposal, it is implemented in the stable branch and will be available soon. |
Hello Paul, I believe that DataObjects.Net as well as any other ORM is not responsible for securing connection strings, however I might be wrong. Nevertheless, I'd try the following approach: 1. Encrypt the required connection string with encryption method you prefer and put it in web.config/app.config file in encrypted form. 2. Load DomainConfiguration through standard API:
3. Set config.ConnectionInfo property with decrypted connection string
4. Build Domain with the config. P.S. Hi Dmitri, We've written a little program that reads the entire App.config and looks for the connectionstring in the domain tag. Using encryption we de-/encrypt the connectionstring. When it is encrypted it is surrounded by '{}' when not it is not surrounded. In our program we test the connectionstring for starting with '{' and ending with '}' and decrypt when needed. This way our application is capable of working with both en- and decrypted connectionsstrings. Super! I don't completely agree with you concerning: 'I believe that DataObjects.Net as well as any other ORM is not responsible for securing connection strings' When one uses the standard connectionstring there is functionality in the Configuration that can un-/lock a connectionstring. That makes en-/decrypting quite easy. Because the connectionstring is in a custom DO tag we can not use this functionality. What I would expect of DO is an easy read/write access to the connectionstring. But there is nothing preventing you from getting I.e.:
Hello Paul, please take a look at this idea, we need your feedback. DataObjects.Net 4.3.7 & 4.4 beta 2 with this feature is released. |