I have successfully implemented SUBSONIC DAL in my desktop application. it was superb experience. but subsonic reads database password from app.config file. as app.config deploy with application on client side, therefore its a big security threat.
It would be helpful if i can read database password from a variable instead of app.config.
Thanks in advance,
Regards.
The easiest and best way to protect connection string data is to encrypt the connection string section of the app.config
Read here http://msdn.microsoft.com/en-us/library/system.configuration.rsaprotectedconfigurationprovider.aspx
Dataservice.setdefaultconnectionstring() resolve my problem
The short answer to this is probably not going to happen because it would mean that either you need to add all the source files to your current project and change the way subsonic loads the connection string.
If you are worried about passwords being deployed to the client then it might be a better idea to use integrated security which works brilliantly.
Also you did not specify which version you are using , since modifying v3 is a little easier in my opinion
Related
I am building a web app which will be sending out emails for sign up verification. I will be using https://github.com/RGBboy/express-mailer. I wanted to know whether it is safe for me to display the email password in the code and push it to the server (Heroku, AWS etc.) where the app is hosted. If not, what alternative methods should I use to 'hide' the password?
It is usually considered bad practice to have plaintext secrets/credentials stored under version control. As that could lead to security issues
Usually these sorts of info are set as environment variables. Heroku has a pretty straightforward way of doing this configuration. You can either use their web admin, or set them via command line.
As for other cases, like your development setup, this could be done with the use of .env files, which are loaded and have its values exposed to your running code. Since [express-mailer][2] is a node application, I suggest using some npm package like dotenv or node-env-file automatically do this loading.I personally prefer dotenv which I feel is simpler.
You should also check out this article regarding the use of .env files. The basic idea is to have your .gitignore(or equivalent) to ignore your .env file, thus ensuring your secret credentials are never introduced in your version control. And then setup an .env.sample file to show the developer which data needs to be declared on said .env file.
Example:
.env
EMAIL=foo#bar.com
PASSWORD=AahUbf796
S3_TOKEN=ASVNS7843NCA87SDVNBRT9
.env.sample
EMAIL=<email to access the account>
PASSWORD=<secret password>
S3_TOKEN=<s3 token for application foobar>
You shouldn't ever store secrets in version control.
One alternative (which I personally like the best) is setting secrets as environment variables for your application in your production environment. Heroku I think supports this. This is also the approach that for example Rails takes. Dev/test "secrets" (which are not actually real credentials to anything valuable) can still of course be stored in your VCS.
Another option is to encrypt the user credentials in your source code and decrypt them from your source code.
Is it possible to turn off Entity Framework using the web.config? In the application I'm developing we have the following environments
Development
Continuous Integration
Integration Testing
Production
The Integration Testing and Production databases are managed by a database administrator, so we have to send them a script to make changes to the database.
I've spent hours Googling and looking through old projects, and I can't find how to do this or remember if we ever turned off migrations on the old projects in the first place.
From the lack of information I'm doubting if what I'm asking is needed or possible, but there is something in the back of my head that's annoying me about this so I thought I'd ask the experts.
The easiest method is to simply delete the dbo._MigrationHistory table from these environments. If that table doesn't exist, then only an "initial" migration can ever be generated against that database, which will fail if someone tries to actually apply it to a database with existing tables.
You could set the database initializer in the config file as described at the bottom here, so you can have an updating initializer in the environments you want
I'm working on code using XPC for inter-process communication. Sharing the code on GitHub will expose the .entitlements file, containing my team identifier.
Now will this be a security risk in any way?
Other developers could use the team identifier but won't be able to sign apps. So I expect everythings okay as long as I sandbox and sign my apps and helpers. What do you know about this?
It probably won't be a huge security risk, however to be sure and to keep your git repository clean I suggest adding it to your gitignore file. There is no reason why you would need to share your .entitlements file.
I'd like to use log4net's RollingAppender to write to isolated storage, but I can't figure out how to configure log4net to do so. To be clear, I'm trying to do this in an installed WPF application so I don't have some of the issues that some of the Silverlight users have already posted.
I thought my best chance was to dynamically set the file path as described in this answer, Best way to dynamically set an appender file path, but of course you don't have access to the isolated storage's file path.
Can anyone confirm whether it's possible to setup a log4net RollingAppender to use the isolated storage, and if so how?
I don't know if this will help you, but I posted an idea for creating a new Target for NLog that could write to isolated storage. I have not tested it, but it seems pretty straightforward.
Here is the link to the question where I posted my suggestion as an answer:
Logging with NLog into an Isolated Storage
Assuming it works, it would probably be pretty easy to create something similar in log4net. Of course, it would not have the same capabilities as the RollingAppender, so it might not be of much use to you, even if it does work.
I was wondering--what part of Subsonic 3 needs to be modified to support a different database under a Simple Repository scenario? I haven't found any documentation on this point. Subsonic 3 seems to be all about the T4 templates but when I check out the Subsonic project sources I don't see any T4 templates in there...so where/how do I add support for another database?
Thanks,
Alex
no part of SubSonic needs to be modified for SimpleRepo - just change your connection string and be sure to change the provider (part of the connection string) as well. So, the default connection might be:
connectionString="server=localhost;database=northwind;user id=bob;password=*****" provider="System.Data.SqlClient"
Change that to be the connection string you want, and the provider to your DB provider. MySQL would be something like "MySql.Data.MySqlClient" and SQLite would "System.Data.SQLite" (I think).
SubSonic will do the rest.