locked
Web Deployment Project (can't hide XLM files) please reply RRS feed

  • Question

  • User-589637085 posted

    I built a web deployment project but I am unable to hide .xml files. In AppCode, folder I have 2 xml files, user can only access those files by xy.aspx page.

    When I build the project for deployment and hid the AppCode folder, whole application went down the drain. It is giving me an error that that the AppCode/abc.xml can't be found (something like that). XML files has some critical data (expiration dates for the application license). You must be think why I am keeping such information in XML file than Database, it is because client is hosting the application locally. If the client backdates the server in order to work around license expiration date,  application will simply stop working.

    My second question is, I am using Forms Authentication, and keeping the password in web.config file. Is there any way to hide <authentication ></authentication>. Web deployment project doesn't not hide that section. I want to hide the credentials because it has a password which is used to renew application license.


    Actually I did't know that I would face such a situation where I can't hide such info. Otherwise I would have adopted database approach.

    PLEASE HELP

    Saturday, June 12, 2010 7:29 PM

Answers

  • User-589637085 posted

    Thanks for the reply. W

    What I understood from the link you posted is that application MUST be named as"MachineDPAPI"  in order to use the utility to encrypt sections of the web.config.

    I had to do three things

    1) Hide/Encrypt conncetionstring in web.config (because connection string has user id and password for database)

    2) Hide/Encrypt passwords in web.config (Forms Authentication - credentials)

    3) Hide/Encrypt .xml file contents

    So thats how I did it

    Problem 1 Solution :: Removed the connection string from the web.config, created a static class which only returns connection string. So instead of accesing connection string from the web.config, each database access class get the connection string from the static class.

    Problem 2 Solution :: I encrypted the password which are kept in credential section of the web.config. For encryting I downloaded a class from the net which has encrypt/decrypt functionality. So when user enter password, I encrypted it then passed the encrypted password to FormsAuthentication.Authenticate(UsernameTextbox.Text, encryptedPassword). User enter the plain text password, and no need to know the encrypted password kept in web.config.  Client can dig into web.config and can find the encrypted password but not the ecryption and decryption calss.

    Problem 3 Solution :: I am keeping encrypted data in .xml file. So when the application access the .xml file, middle layer extract the encryted data from the .xml file, decrypt it and then pass it to the to application.


    Since I am using layered architecture, therfore the fix was easy and quick.

    Hope this would be helpful for someone in future.


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 14, 2010 1:01 AM

All replies

  • User2105407822 posted

    For the web.config, you can ecrypt sections. Check this link:

    http://msdn.microsoft.com/en-us/library/ff647398.aspx


    for the xml files in general, I am not sure if .NET has something ready but it can be encrypted too.


    Sunday, June 13, 2010 8:51 AM
  • User-589637085 posted

    Thanks for the reply. W

    What I understood from the link you posted is that application MUST be named as"MachineDPAPI"  in order to use the utility to encrypt sections of the web.config.

    I had to do three things

    1) Hide/Encrypt conncetionstring in web.config (because connection string has user id and password for database)

    2) Hide/Encrypt passwords in web.config (Forms Authentication - credentials)

    3) Hide/Encrypt .xml file contents

    So thats how I did it

    Problem 1 Solution :: Removed the connection string from the web.config, created a static class which only returns connection string. So instead of accesing connection string from the web.config, each database access class get the connection string from the static class.

    Problem 2 Solution :: I encrypted the password which are kept in credential section of the web.config. For encryting I downloaded a class from the net which has encrypt/decrypt functionality. So when user enter password, I encrypted it then passed the encrypted password to FormsAuthentication.Authenticate(UsernameTextbox.Text, encryptedPassword). User enter the plain text password, and no need to know the encrypted password kept in web.config.  Client can dig into web.config and can find the encrypted password but not the ecryption and decryption calss.

    Problem 3 Solution :: I am keeping encrypted data in .xml file. So when the application access the .xml file, middle layer extract the encryted data from the .xml file, decrypt it and then pass it to the to application.


    Since I am using layered architecture, therfore the fix was easy and quick.

    Hope this would be helpful for someone in future.


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 14, 2010 1:01 AM