|
First thing to mention here is, why are you even trying to store the secrets—I am assuming, connection strings, API keys, etc. etc.—in your own machine, unless your web server runs in the same machine. In testing or development environment, you should consider using testing or development credentials, that when exposed can be cleared, rotated and wiped without any panic.
I am not sure why you didn't read the documentation for this tool, Microsoft had already made it pretty much clear that this tool is not for "securely storing your credentials", rather "storing your secure credentials". There is a huge difference,
The Secret Manager tool doesn't encrypt the stored secrets and shouldn't be treated as a trusted store. It's for development purposes only. The keys and values are stored in a JSON configuration file in the user profile directory. So, that was pretty much clear from the documentation that this tool doesn't do anything on its own side and as Richard said, it merely takes the secure information out of your code, to prevent it from being version controlled.
If you are using an external hosting service, use their secure vaults (or something similar in technical terms). For example, it is a bad idea of store the security details or credentials in environment variables, or even in the databases that you hold or own. Because as you said,
Quote: I'm looking at storing them on the database again, and encrypting them using something like bcrypt to encrypt them. They are merely encrypted, anyone who has access to your machine—since this data is in your machine—has access to that database, which is clearly visible as these values are needed by your apps to function. Thus, anyone can access the keys.
The good practice to use nowadays is to use secure vaults, you can check with your hosting providers to check if they do provide any. For example, on Microsoft Azure you should use Azure KeyVault, Key Vault | Microsoft Azure, which secures your credentials and resists tampering against it.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
Afzaal Ahmad Zeeshan wrote: I am not sure why you didn't read the documentation for this tool, Microsoft had already made it pretty much clear that this tool is not for "securely storing your credentials", rather "storing your secure credentials". There is a huge difference,
Chances are I missed it when reading it, although I'm not sure whoose documentation I read on the subject so it might not even have been mentioned. Either way it was lost on me.
Afzaal Ahmad Zeeshan wrote: They are merely encrypted, anyone who has access to your machine—since this data is in your machine—has access to that database,
This is why I move away from database storage in the first place.
Afzaal Ahmad Zeeshan wrote: For example, on Microsoft Azure you should use Azure KeyVault
And this is the real value in your response.
Ger
|
|
|
|
|
Hi,
I built an ASP.NET web API but unfortunately, it is legacy. So I want to refactor it by using a generic repository, DI, etc. Are there any useful tutorials that I can use?
Best Regards.
|
|
|
|
|
Cenk KIZILDAĞ wrote: Are there any useful tutorials that I can use? There are, even on this site.
Cenk KIZILDAĞ wrote: So I want to refactor it by using a generic repository, DI, etc. Start with identifying where DI would be appropriate, and asking yourself what you gain from it. Don't add something just to say you added it.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: There are, even on this site
Can you please share one or two? I read couple of them but still have questions in my mind.
|
|
|
|
|
|
|
Quote: it is legacy. One tip that I would like to give is, that you should consider using ASP.NET Core instead of ASP.NET, as ASP.NET Core introduces cross-platform deployment support, is lightweight and can be extended to support any runtime.
Quote: So I want to refactor it by using a generic repository, DI, etc. Everything that you mention here is a part of ASP.NET Core, and you can easily integrate these in your own applications without having to change or break the design pattern of ASP.NET Core development, and design.
Quote: Are there any useful tutorials that I can use? Sure, start here, Create web APIs with ASP.NET Core | Microsoft Docs.
What you can explore there includes the DI, repositories for your data stores, and other best practices like asynchronous controllers and middlewares for ASP.NET Web API.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
I have a razor pages application built in 2 projects, database access and the ASP.net application with data services, controllers and pages.
I now want to access the ASP.net data services part of the application from a mobile project. Does the ASP.net application need to be split into a web API and a client project or can I use the ASP.net project as a web API data service?
Never underestimate the power of human stupidity -
RAH
I'm old. I know stuff - JSOP
|
|
|
|
|
|
Some light reading - just what I wanted, thank you.
Never underestimate the power of human stupidity -
RAH
I'm old. I know stuff - JSOP
|
|
|
|
|
What is the difference between Finalize() and Dispose() methods?
|
|
|
|
|
|
This is difference between Finalize() VS Dispose():-
- Methods dispose() and finalize() are the methods of C# which are invoked to free the unmanaged
resources held by an object.
- The dispose() method is defined inside the interface IDisposable whereas,
- the method finalize() is defined inside the class object.
- The main difference between dispose() and finalize() is that the method dispose() has to be
explicitly invoked by the user whereas, the method finalize() is invoked by the garbage collector,
just before the object is destroyed
|
|
|
|
|
Hi ,
I can do listing users account ,just want to change their passwords,
So ,I want to update users table according to ıd value like below
<table id="myTable" class="table table-striped table-bordered table-condensed">
<thead>
<tr>
<th style="width: 2px">Id</th>
<th>Name And Surname</th>
<th>Passwords</th>
<th></th>
</tr>
</thead>
<tbody>
@foreach (var veri in Model)
{
<tr>
<td>@veri.Id</td>
<td>@veri.UserName</td>
<td>@Html.TextBoxFor(t => new AccountInfo().Pwd, new { @Value = @veri.Pwd, @class = "form-control", style = "width:100px"})
<td>
@Html.ActionLink(linkText: "UPDATE", actionName: "UpdateManageUser", controllerName: "AdminPanel", routeValues: new {id = @veri.Id, NewPwd = @veri.NewPwd },
htmlAttributes: new {onclick= "userUpdateJson()", id = "btnUpdate",@class = "btn btn-primary pull-left"})
</td>
</tr>
}
</tbody>
</table>
public ActionResult UpdateManageUser(int id,string pwd)
{
var con = Core.GetLocalConnection();
con.Open();
var cmd = new SqlCommand("SELECT COUNT(*) FROM S_ACCOUNTINFO WHERE ID=@P1", con);
cmd.Parameters.AddWithValue("@P1", id);
var result= Convert.ToInt32(cmd.ExecuteScalar());
if result= == 1)
{
cmd = new SqlCommand("UPDATE S_ACCOUNTINFO SET PWD=@P2 WHERE ID=@P1", con);
cmd.Parameters.AddWithValue("@P1", id);
cmd.Parameters.AddWithValue("@P2", pwd);
cmd.ExecuteNonQuery();
}
con.Close();
return RedirectToAction("ManageUser");
}
|
|
|
|
|
|
I am making a small example of adding, editing, deleting and saving the treeView directory tree into the SQL Server database, what must I design to store in the database and write code ?
|
|
|
|
|
Apart from the obvious items for each record you need to add some links to the child and sibling nodes. Assuming each record will be given an id or key value, you can link them by that. So a record can have an item that has the key of its first child node, if it has one. And also the key of its first sibling node, if it has one. That way you should be able to start from the root record and traverse the entire tree in order. Much the same as you would in the TreeView itself.
|
|
|
|
|
First there is a bit of configuration which I am not sure where is is set.. But is basically as follow:
- We got an ADFS server (AD Federation Server)
- It forwards authentication to 2 ("slave") servers, the company AD / Auth server and a private AD server for extra custom user
When we start the web site and go on a page marked with the [Authorize] attribute, it props the ADFS login page, which ask us to chose the AD server, then enter credential, and I can successfully login with user of either AS server.
However, when I try to do the same thing to authorize web server to web api call using an hard coded API User (we are not using JwtToken for the current user due to some other issue), getting the token as follows:
var context = new AuthenticationContext(adfsInfo.Authority, false);
var credential = new UserPasswordCredential(adfsInfo.UserName, adfsInfo.Password);
var result = await context.AcquireTokenAsync(adfsInfo.ResourceId, adfsInfo.ClientId, credential);
This
- works for user in the company AD server
- doesn't work for user in our private additional AD server. I got "invalid user or password"
where Authority is the same AD Url that I use for ADFS Web login, i.e. something like:
<a href="https://auth.dev.mycompany.com/adfs">https://auth.dev.mycompany.com/adfs</a>
What could be wrong? How could I fix it?
|
|
|
|
|
In a web form application I support, I need to have the web pages display in the following new languages:
Karen, Burmese, Nepali, and Arabic. Right now the application is displayed in English and Spanish.
My question is how to have the pages display in the various languages and here is what I am thinking:
Have the html that is generated point to the various languages by using different fonts. For example:
For the Karen language, the font would be 'Karen Hiland',
For Arabic language the font would be 'Arabic (Iraq),
If the above would not work, what would the web form need to make the html display to show what language is currently being displayed?
if that does not work, what would you suggest I do to accomplish my goal?
|
|
|
|
|
It's usually done with resource files. If it is already multi-lingual then can't you simply extend the method you have now for other languages? Converting a site to use resource files if it doesn't currently use them is a substantial effort.
|
|
|
|
|
Greetings again expoerts.
The code below was generously provided by the great Richard Deeming.
sp:HyperLinkField
DataNavigateUrlFields="filename, servername"
DataNavigateUrlFormatString="http://Archive/{1}/play_recording_wav.aspx?filename=noop_{0}.wav"
It concatenates fieldnames with hardcoded values to allow audio files saved on the server to be played.
For instance, Archive is hardcoded. So is noop and .wav.
However, {1} and {0} are database fieldnames (filename, servername)
The issue we are currently having now is that values for filename exist for all records in the database.
However, some of the filenames on the server do not exist.
For instance, let's say we have V0000YT as value for filename on the database, that same V00YT which is an audio file, does not exist on the server.
As a result, when you load that record on the browser and click Listen, you get "page cannot be displayed" error.
If I designed the database, I would have added a flag with a value of Yes or No.
Yes, if filename on the database has an associated audio file on the server.
No, if there is no associated audio file on the server.
Management has asked to disable the Listen link if there is no audio file on the serer is associated with a filename on the database.
I told him this is not possible.
Am I right?
Thanks very much in advance
modified 31-May-19 10:33am.
|
|
|
|
|
You'll need to use a TemplateField[^] instead, along with a code-behind function to test whether the file exists.
<asp:TemplateField HeaderText="Recording">
<ItemTemplate>
<asp:HyperLink runat="server"
NavigateUrl='<%# string.Format("http://Archive/{1}/play_recording_wav.aspx?filename=noop_{0}.wav", Eval("filename"), Eval("servername")) %>'
Enabled='<%# RecordingExists(Eval("filename", "{0}"), Eval("servername", "{0}")) %>'
Text="Listen"
/>
</ItemTemplate>
</asp:TemplateField>
protected bool RecordingExists(string filename, string servername)
{
...
}
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Sorry for the silly question sir but what goes in here:
protected bool RecordingExists(string filename, string servername)
{
...
}
Many thanks for your help
modified 29-May-19 20:17pm.
|
|
|
|
|
Some code to test whether the specified file exists.
Assuming your files are stored somewhere that's accessible to the current site, the simplest solution would be to add a virtual directory under App_Data , and then use something like:
protected bool RecordingExists(string filename, string servername)
{
string virtualPath = string.Format("~/App_Data/YourVirtualDirectory/{1}/noop_{0}.wav", filename, servername);
string physicalPath = Server.MapPath(virtualPath);
return System.IO.File.Exists(physicalPath);
}
Adding the virtual directory under App_Data will ensure that users can't access the files directly by navigating to them; they will have to use the "play_recording" page.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|