Tuesday, February 15, 2011

Encrypting Web.Config

Encrypting Web.Config using RSAProtectedConfigurationProvider in SharePoint

Overview:

One of the most common uses of the protected configuration is to encrypt connection strings in web.confg (that's one of the reasons for creating a separate tag for connection strings instead of adding it in appSettings tag). Adding this connection string as plain text is not the best practice for sharepoint web application security and this might cause serious hacking problems. Sharepoint also support for encrypting and decrypting configuration sections in web.config file. In this article, we will explore how to encrypt and decrypt sections of the web.config. We can encrypt the configuration sections by using two built-in providers: DPAPI (Windows Data Protection API) Provider or the RSA provider. The RSA provider (default) uses an RSA key which holds public and private keys, where as the DPAPI provider uses built-in machine-specific key. Let us explore the steps required to encrypt the sections using RSA.

Below are steps in detail:

Step 1: Add a web.config file to the project. Right click the project > Add New Item > Web Configuration File
Step 2: To create the custom configuration section in Web.Config file please create the custom class inherited from ConfigurationSection class.


using System;
using System.Collections.Generic;
using System.Text;
using System.Configuration;
using System.Web.Configuration;

namespace AmitKumar.GeneralSite.Web.UI
{
class CustomUpdateProfileSection : ConfigurationSection
{
private static CustomUpdateProfileSection settings = ConfigurationManager.GetSection("CustomUpdateProfileSection") as CustomUpdateProfileSection;
public static CustomUpdateProfileSection Settings
{
get
{
return settings;
}
}
[ConfigurationProperty("UpdateProfileUserDomain", DefaultValue = "v4", IsRequired = true)]
public string UpdateProfileUserDomain
{
get { return (string)this["UpdateProfileUserDomain"]; }
set { this["UpdateProfileUserDomain"] = value; }
}

[ConfigurationProperty("UpdateProfileUserName", IsRequired = true)]
public string UpdateProfileUserName
{
get { return (string)this["UpdateProfileUserName"]; }
set { this["UpdateProfileUserName"] = value; }
}
[ConfigurationProperty("UpdateProfileUserPassword", IsRequired = true)]
public string UpdateProfileUserPassword
{
get { return (string)this["UpdateProfileUserPassword"]; }
set { this["UpdateProfileUserPassword"] = value; }
}

}
}


Step 3: Sign the assembly with the strong name and deploy in the GAC.
Step 4: Define the custom section in the Web.Config file










Note: "AmitKumar.Web.UI.CustomUpdateProfileSection" is the name of the class. "AmitKumar" is the name of the Assembly.
Step 5: Now add two buttons to the page, called btnEncrypt and btnDecrypt. We will use these buttons to encrypt and decrypt the sections of the web.config file. Add the following code in the button click event of the two buttons:


public void btnEncrypt_OnClick(object sender, EventArgs e)
{
try
{
System.Configuration.Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection objSection = config.GetSection("CustomUpdateProfileSection");
if ((config != null) && (!objSection.SectionInformation.IsProtected))
{
if (!objSection.ElementInformation.IsLocked)
{
objSection.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
config.Save();
this.lblCustomError.Visible = false;
this.lblSuccess.Text = "Successfully Encrypted, Kindly check the Web.Config file.";
this.lblSuccess.Visible = true;
}
}

}
catch (Exception ex)
{
string strErrorMsg = "Error, DateTime :" + DateTime.Now.ToLongTimeString() + ", Error : " + ex.Message.ToString() + ", Stack Trace : " + ex.StackTrace.ToString();
this.lblCustomError.Text = strErrorMsg;
this.lblCustomError.Visible = true;
}
}

public void btnDecrypt_OnClick(object sender, EventArgs e)
{
try
{
System.Configuration.Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection objSection = objConfig.GetSection("CustomUpdateProfileSection");
if (objConfig != null && objSection.SectionInformation.IsProtected)
{
if (!objSection.ElementInformation.IsLocked)
{
objSection.SectionInformation.UnprotectSection();
objConfig.Save();
this.lblCustomError.Visible = false;
this.lblSuccess.Text = "Successfully Decrypted, Kindly check the Web.Config file.";
this.lblSuccess.Visible = true;
}
}

}
catch (Exception ex)
{
string strErrorMsg = "Error, DateTime :" + DateTime.Now.ToLongTimeString() + ", Error : " + ex.Message.ToString() + ", Stack Trace : " + ex.StackTrace.ToString();
this.lblCustomError.Text = strErrorMsg;
this.lblCustomError.Visible = true;
}
}
Share:

0 comments:

About Me

My photo
Based in Bangalore, INDIA, Amit is a MCC. He has an MCA from the U.P.T.U., INDIA and holds Microsoft certifications including SharePoint 2007/2010/2013. He is an contributor to MSDN and http://amitkumarmca04.blogspot.com/. Amit have experience in SharePoint,ASP.Net with C#, Classic ASP, VB,Macros,HTML,JavaScript,JSON,BootStrap and AngularJS.

Followers

Labels