First create one new web application that contains Default.aspx page and one web.config file. Now right click on your application and select New folder after creation of new folder right click on new folder select Add new item and add one aspx page and one web.config file to this folder that files structure like this
 |
After that write the following code in root folder web.config file appsettings section like this
<appSettings>
<add key="rootfolder" value="Root Folder web.config"/>
<add key="test1" value="Testing the application for root folder web.config"/>
</appSettings >
|
After that open Default.aspx page in root folder and write the following code
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>RootFolder web.config</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<b>
Root Folder values
</b>
</div>
<br />
<div>
AppKey value:
<b>
<asp:Label ID="lbltxt" runat="server" Text="<%$appSettings:rootfolder %>"/>
</b>
<br />
Appkey Test value:
<b>
<asp:Label ID="Label1" runat="server" Text="<%$appSettings:test1 %>"/>
</b>
</div>
</form>
</body>
</html>
|
Now run your application and check the output for root folder
After that open the sub root folder web.config file and write the following code in appsettings section like this
<appSettings>
<add key="subrootfolder" value="Sub Root Folder web.config"/>
<add key="test1" value="Testing the application for sub root folder web.config"/>
</appSettings >
|
After that open ChildPage.aspx page in sub root folder and write the following code
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
<title>SubRoot Folder web.config</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<b>
SubRoot Folder values
</b>
</div>
<br />
<div>
AppKey value:
<b>
<asp:Label ID="lbltxt" runat="server" Text="<%$appSettings:subrootfolder %>"/>
</b>
<br />
Appkey Test value:
<b>
<asp:Label ID="Label1" runat="server" Text="<%$appSettings:test1 %>"/>
</b>
</div>
</form>
</body>
</html>
|
Now run your application and check the output for sub root folder
If you observe above outputs Default.aspx page getting values from root folder web.config file andChildPage.aspx page getting values from subroot folder web.config file.
In this way we can use multiple web.config files in asp.net web application. I hope it helps you
The connectionStrings section contains sensitive information of database connections including username and password of database. Is it secured to store the sensitive information of database connections in plain text files called web.config and machine.config files?
If we are using applications in our internal servers with security then it’s ok if we deploy our applications in shared host environment then we have chance to arise security problems to avoid these problems asp.net 2.0 provided built in protected configuration model functionality to encrypt or decrypt few sections of web.config file those are
RSAProtectedConfigurationProvider: This is default provider and uses the RSA public key encryption algorithm to encrypt and decrypt data.
DataProtectionConfgurationProvider: This provider uses windows data protection application programming interface to encrypt and decrypt the data.
The encrypting and decrypting of connection strings in web.config file will do by using aspnet_regiis.execommand line tool and code behind.
First Method:
First we will do encryption and decryption using aspnet_regiis.exe command line tool in file system website
To implement encryption and decryption first create one new website using visual studio.
After that open web.config file in application and add sample db connection in connectionStringssection like this
<connectionStrings>
<add name="dbconnection" connectionString="Data Source=SureshDasari;Integrated Security=true;Initial Catalog=MySampleDB"/>
</connectionStrings >
|
After add dbconnection in connectionString check the below steps to encrypt or decrypt the connection string in web.config.
1. 1) Go to Start >> All Programs >> Microsoft visual studio 2008 >> Visual Studio Tools >> Visual Studio 2008 Command Prompt (Note: if you’re using windows 7 right click on command prompt and select Run as administrator)
 |
2. 2) After open command prompt type the following command aspnet_regiis.exe -pef "connectionStrings" "C:\VisualStudio2008\Authorization"
Here –pef indicates that the application is built as File System website. Second argumentconnectionStrings indicates that name of the configuration section needs to be encrypted. The Third argument is the physical path of the folder where the web.config file is located.
3. 3) After enter the command click enter if everything goes well we will get success message like “Encrypting configuration section… Succeeded!”
 |
Now open your application and check connectionStrings in web.config file that would be like this
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>ZNUbIEnOwlZzC8qbzHj5F2GS9gLYSkWCIgCJGkrgZAX8A+8oEIssyohhxUKvAubD3jizFc5IjbLGt7HNXhoFhXNTUPYz2y6tdKJDVgDmtCgVf8Z2C990zoMRBJG+VXhmgnlo1vtHYhGx8x/bBzE1prT1+xDpep98vHF22d+LrVI=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>tODWlPD0Q/B/mP14GQ/5tUxcjmhHcy9a0oPunV5osNrMQRztgi2h5V6sxJOEh+NC+G9gQNkv1huXf1s7eoZRRLy5/LDtLXzzqMUOqLSlJUs9igChvi33c9XG4rwGF15Tpn4N34bpQBt94n0rpSkQ18V9HCPzii+UO64PlA+ykDeQhc9aQr4gO3mCfUzmY2S9gsXzRbzdq0oCWBDvx8UkX2uDxaysVHC9Fo7u6IrlpU0+hOdK95Y3/A==</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
|
Here we don’t want to write any code to decrypt the encrypted connectionString in our application because .NET automatically decrypts it. If we want to use the connection string just call it like normal way
string strconnection = ConfigurationManager.AppSettings["dbconnection"].ToString();
|
Now if we want to decrypt connectionStrings section in web.config use the following commandaspnet_regiis.exe -pdf "connectionStrings" "C:\VisualStudio2008\Authorization"
After command execute we will get message like “Decrypting configuration section… Succeeded!”
 |
Now check your connctionStrings section in your web.config file you will see decrypted connection string.
Till now we learned how to encrypt and decrypt connectionStrings section in File system website. If I want to encrypt connection string in IIS based site like i.e. Deployed website for that we need to use the following commands
Encrypt connectionStrings in web.config of IIS based site
aspnet_regiis.exe -pe "connectionStrings" -app "/SampleWebSite"
Here –pe indicates that the application is built as IIS based site. Second argument connectionStrings is the name of configuration section needs to be encrypted. The Third argument -app indicates virtual directory and last argument is the name of virtual directory where application is deployed.
Decrypt connectionStrings in web.config of IIS based site
aspnet_regiis.exe -pd "connectionStrings" -app "/SampleWebSite"
Till now we learned how to encrypt and decrypt connectionStrings section in web.config file using aspnet_regiis.exe command line tool now I will explain code behind method to encrypt and decrypt the connection string section in web.config.
Second Method: In second method I will use RSAProtectedConfigurationProvider and DataProtectionConfgurationProvider to encrypt and decrypt connectionStrings in web.config using asp.net.
First open Default.aspx page and write the following code
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Button id="btnEncrypt" runat="server" Text="Encrypt" onclick="btnEncrypt_Click" />
<asp:Button ID="btnDecrypt" runat="server" Text="Decrypt" onclick="btnDecrypt_Click" />
</div>
</form>
</body>
</html>
|
After that open code behind page and add the following namespace references
using System;
using System.Configuration;
using System.Web.Configuration;
|
After add namespaces write the following code in code behind
C# code
string provider = "RSAProtectedConfigurationProvider";
string section = "connectionStrings";
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btnEncrypt_Click(object sender, EventArgs e)
{
Configuration confg = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection configSect = confg.GetSection(section);
if (configSect != null)
{
configSect.SectionInformation.ProtectSection(provider);
confg.Save();
}
}
protected void btnDecrypt_Click(object sender, EventArgs e)
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection configSect = config.GetSection(section);
if (configSect.SectionInformation.IsProtected)
{
configSect.SectionInformation.UnprotectSection();
config.Save();
}
}
After that open web.config file in application and add sample db connection in connectionStringssection like this
Now run your application and check your web.config file after click on Encrypt button that would be like this
If we want to implement encryption and decryption with “DataProtectionConfigurationProvider” just replace “RSAProtectedConfigurationProvider” with “DataProtectionConfigurationProvider” and use same code.
|
No comments:
Post a Comment