How to change from embedded db user.pwd to bespoke login screen?
-
15. srpna 2012 12:55
Hi, I am developing a front end app to a db2 database and it is all working fine, however I need to make a change to the login process as it is insecure at the moment.
I have created a login screen where the user types in their name and password and presses a button to confirm connectivity. Again, this works fine.
The problem I have is that I initially set up the project with a wizard and embedded my "own" username and password in the connection string. This is viewable in the settings tab under project. Even worse, when I publish, it is possible to view my password in the source code files.
I need to to be able to compile and publish without this security problem.
In the login screen that I created, any valid user can type in a name/pwd pair and connect, but the embedded password in the string comes back to haunt me after a month when my password expires.
I end up having to compile every month with a new password (don't laugh ;-))
I have tried removing the setting but then get flooded with errors saying stuff isn't part of (name of project)
If someone can point me in the way of some docs or help, I'd be much obliged.
Thanks
Mort
Všechny reakce
-
15. srpna 2012 14:34
If it's a connection string setting, how is it being used by your data access code? Is it used by TableAdapters? ADO.NET code?
How are you validating the user name and password at the login screen?
Paul ~~~~ Microsoft MVP (Visual Basic)
-
16. srpna 2012 9:30
Hi Paul
Here is the code for the login screen
ConnectionString = "Database=DBPA1;User ID=" + TextBox1.Text + ";Password=" + TextBox2.Text + ";Server=10.145.182.1:50001;Persist Security Info=True"
Dim myConnection As New IBM.Data.DB2.DB2Connection(ConnectionString)
Try
myConnection.Open()
Catch ex As Exception
'MsgBox(ex)
End TryThis works well, every time. (I have altered some values above for security e.g ip address)
Under Projects/Settings I have one row
Name Type Scope Value
<my_proj> (Connection string) Application Database=blah username and password
Database=DBPA1;User ID=usr;Password=Password3;Server=10.145.182.1:50001;Persist Security Info=True
my_proj is a pseudonym
I believe you might be right about it being via a table adaptor when I first started doing this.
I have many data sources defined, all via the wizard (Add new data source)
Thanks
Mort
-
20. srpna 2012 10:13Moderátor
Hi Morte,
Did you try to open the setting tab?
How about clear the value of the variable "my_proj"?
Based on my understanding, if you can see this setting in the property page, you can remove/change it.
So please try it.
Best regards,
Mike Feng
MSDN Community Support | Feedback to us
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
-
20. srpna 2012 12:41
I would recommend removing the user ID and password from the connection strings in the app.config file. You should be able to change the connection strings for the TableAdapters at run time:
http://thecodemonk.com/2008/02/18/tableadapter-connection-strings/
Paul ~~~~ Microsoft MVP (Visual Basic)
-
21. srpna 2012 14:41
Hi Mike,
Removing the entry from the settings tab causes multiple failures to compile/publish saying items are not part of "my_proj)
Paul,
Removing the user id and pasword from the string is an interesting idea.
It compiles and allows me to log in with my user name and passwd via the bespoke form. However, when I launch any of the other forms which have datasources, I get the following error:
ERROR 08001 IBM SQL30082N Security processing failed with reason 3 PASSWORD MISSING
I have opened the config file and I can see my user id and a very old password in there
Is it safe to remove the partial string from the config file and save it? It has not been updated for a long time.
I am extremely nervous about "tinkering" outside of the interface in case I lose the ability to run the app. (Not an unhealthy thing)
I had a look at your link and it was a bit deep for me to be honest.
Mort
-
21. srpna 2012 16:25
Unfortunately you are facing a bit of a conundrum if you are using the Data Designer and TableAdapters to make coding with and connecting to databases easier. The connection string isn't really designed to be changed when using these classes. That is why you need to resort to workarounds, such as the link I posted.
Paul ~~~~ Microsoft MVP (Visual Basic)
-
22. srpna 2012 8:57
Thanks Paul,
I'll do my best with the link.
Perhaps I will try a small test project and avoid using the data designer
Cheers
Mort
-
24. srpna 2012 11:52
Hi, I am now in a very difficult place.
All of my datasources complain saying that they are not part of th eproject. I cannot preview the data either/
Many warnings and errors along the lines of
Type 'Simone_day_progress.RUN_SETUP_ALL' is not defined
Error 17 'ClearBeforeFill' is not a member of 'Simone_day_progress.Simone_day_progress.DBRCSPA1DataSet1TableAdapters.CURRENT_TASKTableAdapter'. \\sw6_f\myname\visual studio 2010\Projects\Simone_day_progress\Simone_day_progress\Form1.Designer.vb 513 9 Simone_day_progress
These are numerous and seem to suggest a decoupling of the datasources from the project name
I was setting the windows title bar before this happened, if that is significant and declared some public variables in the topmost form.
The app will run if I say I want to run the last known good build and it seems to return the data.
I need an answer urgently if possible
Many thanks
Mort
-
24. srpna 2012 13:13I'm afraid I'm not really sure what you changed to cause the error. I would recommend reverting back to a previous version of the project if possible.
Paul ~~~~ Microsoft MVP (Visual Basic)
-
27. srpna 2012 6:35Moderátor
Hi Mort,
Based on the error message, it is different from the original issues.
So would you like to rollback to the previous version as Paul suggested? And then try Paul's above suggestions.
Thank you very much.
Best regards,
Mike Feng
MSDN Community Support | Feedback to us
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
