https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-3.0/dx0f3cf2(v=vs.85)

When working with data source controls it is recommended that you centralize the location of your connection strings by storing them in the application's Web.config file. This simplifies the management of connection strings by making them available to all of the ASP.NET pages in a Web application. In addition, you do not need to modify numerous individual pages if your connection string information changes. Finally, you can improve the security of sensitive information stored in a connection string, such as the database name, user name, password, and so on, by encrypting the connection string section of the Web.config file using protected configuration.

This topic describes how to store connection strings in the connectionStrings configuration section in the Web.config file, and how to use the command-line .NET Framework tool to encrypt connection strings for additional security.

To store a connection string in the Web.config file

  1. Open the Web.config file for your application. If a Web.config file does not already exist, create a text file named Web.config and add the following content:

    Copy
    <?xml version="1.0"?>
    <configuration
    xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <appSettings/>
    <system.web>
    </system.web>
    </configuration>
  2. In the configuration element, create a new element named connectionStrings, as shown in the following example:

    Copy
    <?xml version="1.0"?>
    <configuration
    xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <connectionStrings> </connectionStrings>
    <appSettings/>
    <system.web>
    </system.web>
    </configuration>
  3. In the connectionStrings element, create an add element for each connection string you will use in your Web application. Include the attributes shown in the following table.

    Attribute Description
    1. name

    A name for this connection string configuration object. This name will be used by data source controls and other features to reference the connection string information.

    1. connectionString

    The connection string to the data source.

    1. providerName

    The namespace of the NET Framework data provider to use for this connection, such as System.Data.SqlClientSystem.Data.OleDb or System.Data.Odbc.

    A completed connectionStrings element might look like the following example:

    Copy
    <connectionStrings>
    <add
    name="NorthwindConnection"
    connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />
    </connectionStrings>
  4. Save and close the Web.config file.

    You can now reference the connection string for your data source control by referring to the name you specified for the name attribute.

  5. In the ConnectionString attribute for your data source control, use the connection string expression syntax to reference the connection information from the Web.config file.

    The following example shows a SqlDataSource control in which the connection string is read from the Web.config file:

    Copy
    <asp:SqlDataSource ID="ProductsDataSource" Runat="server"
    SelectCommand="SELECT * from Products"
    ConnectionString="<%$ ConnectionStrings: NorthwindConnection %>"
    </asp:SqlDataSource>

To encrypt connection string information stored in the Web.config file

  1. At the Windows command line, run the ASP.NET IIS registration tool (aspnet_regiis.exe) with the following options:

    • The -pe option, passing it the string "connectionStrings" to encrypt the connectionStrings element.

    • The -app option, passing it the name of your application.

    The aspnet_regiis.exe tool is located in the %systemroot%\Microsoft.NET\Framework\versionNumber folder.

    The following example shows how to encrypt the connectionStrings section of the Web.config file for an application named SampleApplication:

    Copy
    aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"

    When the command has finished, you can view the contents of the Web.config file. The connectionStringsconfiguration section will contain encrypted information instead of a clear-text connection string, as shown in the following example:

    Copy
    <configuration>
    <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
    xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <KeyName>RSA Key
    </KeyName>
    </KeyInfo>
    <CipherData>
    <CipherValue>WcFEbDX8VyLfAsVK8g6hZVAG1674ZFc1kWH0BoazgOwdBfinhcAmQmnIn0oHtZ5tO2EXGl+dyh10giEmO9NemH4YZk+iMIln+ItcEay9CGWMXSen9UQLpcQHQqMJErZiPK4qPZaRWwqckLqriCl9X8x9OE7jKIsO2Ibapwj+1Jo=
    </CipherValue>
    </CipherData>
    </EncryptedKey>
    </KeyInfo>
    <CipherData>
    <CipherValue>OpWQgQbq2wBZEGYAeV8WF82yz6q5WNFIj3rcuQ8gT0MP97aO9SHIZWwNggSEi2Ywi4oMaHX9p0NaJXG76aoMR9L/WasAxEwzQz3fexFgFSrGPful/5txSPTAGcqUb1PEBVlB9CA71UXIGVCPTiwF7zYDu8sSHhWa0fNXqVHHdLQYy1DfhXS3cO61vW5e/KYmKOGA4mjqT0VZaXgb9tVeGBDhjPh5ZlrLMNfYSozeJ+m2Lsm7hnF6VvFm3fFMXa6+h0JTHeCXBdmzg/vQb0u3oejSGzB4ly+V9O0T4Yxkwn9KVDW58PHOeRT2//3iZfJfWV2NZ4e6vj4Byjf81o3JVNgRjmm9hr9blVbbT3Q8/j5zJ+TElCn6zPHvnuB70iG2KPJXqAj2GBzBk6cHq+WNebOQNWIb7dTPumuZK0yW1XDZ5gkfBuqgn8hmosTE7mCvieP9rgATf6qgLgdA6zYyVV6WDjo1qbCV807lczxa3bF5KzKaVUSq5FS1SpdZKAE6/kkr0Ps++CE=
    </CipherValue>
    </CipherData>
    </EncryptedData>
    </connectionStrings>
    </configuration>

    Leave the command prompt open for later steps.

  2. Determine the user account or identity under which ASP.NET runs by retrieving the current WindowsIdentity name.

    The following example shows one way to determine the WindowsIdentity name:

    C#Copy
    <%@ Page Language="C#" %>
    <%
    Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
    %>
    Note

    By default, on Windows Server 2003 with impersonation for an ASP.NET application disabled in the Web.config file, the identity under which the application runs is the NETWORK SERVICE account. On other versions of Windows, ASP.NET runs under the local ASPNET account.

    The user account or identity under which ASP.NET runs must have read access to the encryption key used to encrypt and decrypt sections of the Web.config file. This procedure assumes that your Web site is configured with the default RsaProtectedConfigurationProvider specified in the Machine.config file named "RsaProtectedConfigurationProvider". The RSA key container used by the default RsaProtectedConfigurationProvider is named "NetFrameworkConfigurationKey".

  3. At the command prompt, run the aspnet_regiis.exe tool with the following options:

    • The -pa option, passing it the name of the RSA key container for the default RsaProtectedConfigurationProvider.

    • The identity of your ASP.Net application, as determined in the preceding step.

    The following example shows how to grant the NETWORK SERVICE account access to the machine-level "NetFrameworkConfigurationKey" RSA key container:

    Copy
    aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
  4. To decrypt the encrypted Web.config file contents, run the aspnet_regiis.exe tool with the -pd option. The syntax is the same as encrypting Web.config file contents with the -pe option except that you do not specify a protected configuration provider. The appropriate provider is identified in the configProtectionProvider attribute for the protected section.

    The following example shows how to decrypt the connectionStrings element of ASP.NET application SampleApplication.

    Copy
    aspnet_regiis -pd "connectionStrings" -app "/SampleApplication"

How to: Secure Connection Strings When Using Data Source Controls的更多相关文章

  1. [转]Oracle connection strings

    本文转自:http://www.connectionstrings.com/oracle/ Standard Data Source=MyOracleDB;Integrated Security=ye ...

  2. Windows Phone本地数据库(SQLCE):9、Connection Strings(翻译) (转)

    这是“windows phone mango本地数据库(sqlce)”系列短片文章的第八篇. 为了让你开始在Windows Phone Mango中使用数据库,这一系列短片文章将覆盖所有你需要知道的知 ...

  3. Data source rejected establishment of connection, message from server: "Too many connections"解决办法

    异常名称 //数据源拒绝从服务器建立连接.消息:"连接太多" com.MySQL.jdbc.exceptions.jdbc4.MySQLNonTransientConnection ...

  4. Xcode7 beta 网络请求报错:The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.

    Xcode7 beta 网络请求报错:The resource could not be loaded because the App Transport Xcode7 beta 网络请求报错:The ...

  5. The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.问题解决

    didFailLoadWithError(): Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loa ...

  6. Data source rejected establishment of connection, message from server: &quot;Too many connections&quot;

    错误叙述性说明: 測试一段时间没有不论什么问题.今天突然用户无法登录,报错如Data source rejected establishment of connection,  message fro ...

  7. Unable to open connection to supplicant on "/data/misc/wifi/sockets/wlan0"

    在调试android wifi UI 的时候,出现了 logcat:  Unable to open connection to supplicant on "/data/misc/wifi ...

  8. Data source rejected establishment of connection, message from server: "Too many connections"

    详细错误信息: Caused by: com.MySQL.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Data source ...

  9. [转】[tip] localhost vs. (local) in SQL Server connection strings

    主要区别在于连接协议不同,前者(localhost)使用TCP协议,后者("(local)")使用NamedPipe协议. Sample code with SQL Server ...

随机推荐

  1. 【转】高性能网络编程1----accept建立连接

    最近在部门内做了个高性能网络编程的培训,近日整理了下PPT,欲写成一系列文章从应用角度谈谈它. 编写服务器时,许多程序员习惯于使用高层次的组件.中间件(例如OO(面向对象)层层封装过的开源组件),相比 ...

  2. zabbix Server 4.0 监控JMX监控详解

    zabbix Server 4.0 监控JMX监控详解 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任.   大家都知道,zabbix server效率高是使用C语言编写的,有很多应用 ...

  3. 在vue中使用jsx语法

    什么是JSX? JSX就是Javascript和XML结合的一种格式.React发明了JSX,利用HTML语法来创建虚拟DOM.当遇到<,JSX就当HTML解析,遇到{就当JavaScript解 ...

  4. shell脚本——正则表达式

    什么是正则表达式 正则表达式分为基础正则和扩展正则,都是为了匹配符合预期要求的字符串 正则表达式与通配符的区别 只需要记住,对文件内容或是展示文本的操作都是正则,而对目录或文件名的操作则都是通配符(例 ...

  5. 渗透之路基础 -- 跨站伪造请求CSRF

    漏洞产生原因及原理 跨站请求伪造是指攻击者可以在第三方站点制造HTTP请求并以用户在目标站点的登录态发送到目标站点,而目标站点未校验请求来源使第三方成功伪造请求. XSS利用站点内的信任用户,而CSR ...

  6. Linux 反弹shell(二)反弹shell的本质

    Linux 反弹shell(二)反弹shell的本质 from:https://xz.aliyun.com/t/2549 0X00 前言 在上一篇文章 Linux反弹shell(一)文件描述符与重定向 ...

  7. Kotlin对象表达式深入解析

    嵌套类与内部类巩固: 在上一次https://www.cnblogs.com/webor2006/p/11333101.html学到了Kotlin的嵌套类与内部类,回顾一下: 而对于嵌套类: 归根结底 ...

  8. Druid Spring Boot Starter 从配置到简单运行 -解决zone不匹配 -解决dataSource加载失败

    Druid Spring Boot Starter 中文 | English Druid Spring Boot Starter 用于帮助你在Spring Boot项目中轻松集成Druid数据库连接池 ...

  9. Spring-02 -Spring 创建对象的三种方式 :1.通过构造方法创建/2.实例工厂/3.静态工厂

    通过构造方法创建  1.1 无参构造创建:默认情况. 1.2 有参构造创建:需要明确配置 1.2.1 需要在类中提供有参构造方法 1.2.2 在 applicationContext.xml 中设置调 ...

  10. Caused by: com.mysql.jdbc.MysqlDataTruncation: Data truncation: Out of range value for column 'phone' at row 1

    Caused by: com.mysql.jdbc.MysqlDataTruncation: Data truncation: Out of range value for column 'phone ...