本文介绍了如何避免C#中Web配置文件中的硬编码密码的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

Name and password information should not be included in a configuration file in plaintext as this will allow anyone who can read the file access to the resource.

I want to Encrypt the config file and How to avoid Hardcoded password in Config file?

What I have tried:

<pre><connectionStrings>
<addname="cs"connectionString="DataSource=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=XXSDFASFDKD;"/>
</connectionStrings>

推荐答案

<connectionStrings>
    <addname="cs"connectionString="DataSource=myServerAddress;Initial Catalog=myDataBase; User Id=myUsername; Password=XXSDFASFDKD;"/>
</connectionStrings>

当您将这些值存储在版本控制中,或者允许每个人阅读您的生产配置时,可能会遇到此方法的问题。



我用其他一些方法来解决这个问题。大多数基于云(以及其他)的托管解决方案都提供环境配置设置。您可以使用它,也可以在部署时重写配置文件,例如https://docs.microsoft.com/en-us/previous-versions/aspnet/dd465326(v=vs.110),或者您可以使用命名约定,如 web.config web.Release.config 。这样,您只能签入web.config,并将web.Release.config版本保存在安全的地方 - 如果您当然不信任您的开发人员



我做的是,我使用环境变量在运行时加载这些值,并将它们转发给类型加载器和初始化器。这样,我只在托管服务上配置了生产值,本地工程师只能看到自己的系统级配置。除此之外,没有问题,请记住,加密只会夸大问题,而不是解决问题 - 尝试体验它



看看这个视频,了解如何,https://www.youtube.com/watch?v = McCcsbM7_2aE

The problem with this approach can come, when you either store these values inside your version control, or you allow everybody to read your production configurations.

I have used some other methods to overcome this problem. Most of the cloud based (and others too) hosting solutions provide environment configuration settings. You can use either that, or you can rewrite the configuration files upon deployment, something like this, https://docs.microsoft.com/en-us/previous-versions/aspnet/dd465326(v=vs.110), or you can use naming convention like web.config and web.Release.config. This way, you will only check-in web.config, and keep the web.Release.config version somewhere safe—if you of course don't trust your developers.

What I did was, I loaded these values on runtime using environment variables, and forwarded them to the type loaders and initializers. This way, I had the production values configured only on the hosting service, and local engineers only see their own system-level configurations. Other than that, there is no problem, and remember, encryption will only exaggerate the problem, instead of solving ittry it to experience it.

Check out this video to understand how, https://www.youtube.com/watch?v=MkcsbM7_2aE




这篇关于如何避免C#中Web配置文件中的硬编码密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

05-28 07:24
查看更多