I would like to create a C# WinForms application which will create web requests to servers that require username and password (Basic authentication).
I want to save the password locally (encrypted of course) on the machine that runs the application.
Basically, I need something that operates as Keychain in iOS, or "secure storage" in eclipse, only for .NET
I've found the Credential Manager in Windows, but all API examples are from .NET Framework V2.0
Isn't there a normal API from Microsoft about how to use it in C#?
Windows applications can use DPAPI for that, the Data Protection API, which stores secrets on a computer, encrypted (indirectly) with a user's login credentials. Any process that runs with the user's privileges can access this data. Optionally you can let the user add his own password (for this one item / secret) if you like (PrompStruct). The DPAPI is also accessible via C# (there are examples on the net).
You can store the credentials in a section in app.config and then encrypt the section (similar to what you'll do in web.config for a web application).
You can use SectionInformation.ProtectSection to protect the section, and SectionInformation.GetRawXml to retrieve the encrypted info (decryption is done transparently).
Example (taken from the MSDN article below):
static public void ProtectSection()
{
// Get the current configuration file.
System.Configuration.Configuration config =
ConfigurationManager.OpenExeConfiguration(
ConfigurationUserLevel.None);
// Get the section.
UrlsSection section =
(UrlsSection)config.GetSection("MyUrls");
// Protect (encrypt)the section.
section.SectionInformation.ProtectSection(
"RsaProtectedConfigurationProvider");
// Save the encrypted section.
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
// Display decrypted configuration
// section. Note, the system
// uses the Rsa provider to decrypt
// the section transparently.
string sectionXml =
section.SectionInformation.GetRawXml();
Console.WriteLine("Decrypted section:");
Console.WriteLine(sectionXml);
}
http://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx
Related
I have been exploring Apache Shiro with Zeppelin and so far has been able to make authentication work with JdbcRealm but one thing that is not going well is giving the data source password as plain text.
Is there a way to avoid that?
My shiro.ini looks like:
[main]
dataSource = org.postgresql.ds.PGPoolingDataSource
dataSource.serverName = localhost
dataSource.databaseName = dp
dataSource.user = dp_test
dataSource.password = Password123
ps = org.apache.shiro.authc.credential.DefaultPasswordService
pm = org.apache.shiro.authc.credential.PasswordMatcher
pm.passwordService = $ps
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealmCredentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
jdbcRealm.dataSource = $dataSource
jdbcRealm.credentialsMatcher = $pm
shiro.loginUrl = /api/login
[roles]
admin = *
[urls]
/** = authc
Is there a way to avoid giving data source password as plain text
dataSource.password = Password123?
Would like to give something like:
$shiro1$SHA-256$500000$YdUEhfDpsx9KLGeyshFegQ==$m+4wcq4bJZo1HqDAGECx50LcEkRZI0zCyq99gtRqZDk=
yes, there is a way, but there will still be a password lying around somewhere due to the nature of shiro needing to know the password.
Why Hashing does not work
You posted
something like: $shiro1$SHA-256[…]
This is a hash, and thus it is not reversible. There is no way shiro could log into the datasource using this String.
Container managed datasources
The best approach I can recommend at this point is to have a container managed resource. A container is referring to a (web) application server in this case, like tomcat, OpenLiberty or Wildfly.
For your use case, try looking into the following:
extend org.apache.shiro.realm.jdbc.JdbcRealm or AuthorizingRealm
Add the JPA API to your module and inject a persistence context like so:
#PersistenceContext
EntityManager entityManager;
Override the methods
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals)
… to load from your managed datasource instead.
Drawbacks of this approach:
You just delegated datasource login to your container / application server. The server is still facing the same problems. E.g. with OpenLiberty, you will still need to store a master key of an encrypted (not hashed) password somewhere, and thus liberty will do exactly this.
use another configuration source
Instead of using a shiro.ini file, you could also write your own environment loader. You could request the file from an IP-restricted web service or a cryptographic hardware device.
Always a goal: restrict the environment
You should always restrict the environment.
E.g. create a user which can install, but not run your application and who cannot read the logs (called setup-user or so).
Create another user which can start the application, read but not modify configuration files and write logs, called a run-user.
Restrict access to configurations and logs for all other users on that system.
Getting involved
If you have other needs, feel welcome to discuss other solutions on the shiro mailing lists.
I am working on a WPF application. I have used “install shield limited edition” to create the installer setup. As per requirement I want to encrypt the App.config file (using DataProtectionConfigurationProvider) during the installation process.
I checked the installer shield set up project properties. I found that there is “Custom action” section and some of the actions are not locked.
I want to execute the following code to encrypt the Appsettings section of Appconfig file.
Configuration config = ConfigurationManager.OpenExeConfiguration(
//Gets the source directory of the installation from the default
//context parameters
Context.Parameters["assemblypath"]);
// Get the connectionStrings section.
ConfigurationSection section = config.GetSection("appSettings");
//Ensures that the section is not already protected
if (!section.SectionInformation.IsProtected)
{
//Uses the Windows Data Protection API (DPAPI) to encrypt the
//configuration section using a machine-specific secret key
section.SectionInformation.ProtectSection(
"DataProtectionConfigurationProvider");
config.Save();
}
But I found, we have only the option to choose New Exe,VB Script or Jscript.
How can I implement the encryption of Config file.
Please guide me a way.
Thanks
I have some passwords that I access via a custom written java class and save the decrypted values in the Registry as String objects.(Note: we do not have access to the Enterprise Edition to leverage the Credentials Vault features.)
I can successfully save them and access them in code but I am having trouble accessing it in the flow. Specifically the Salesforce connector:
<sfdc:config name="ConfigurableSalesforceConnection" username="${sfdc.username}" password="#app.registry.get('salesforcepassword')" securityToken="${sfdc.securityToken}" doc:name="Salesforce" url="${sfdc.url}"/
Some of the Syntax I have used is:
password="#app.registry.get('salesforcepassword')"
and
app.registry['salesforcepassword']
Is this even possible or should I explore different avenues?
Try this
#[app.registry['salesforcepassword']]
Instead of dealing with the registry, you could also encrypt the credentials in your properties file and use Jasypt to decrypt them when the file gets loaded. This is transparent for the application and way easier.
Check this tutorial: http://www.jayway.com/2008/12/09/encrypting-properties-with-jasypt/
Important: API has changed - Read this first:
https://developers.google.com/accounts/docs/AuthForInstalledApps
ClientLogin has been officially deprecated as of April 20, 2012. It
will continue to work as per our deprecation policy, but we encourage
you to migrate to OAuth 2.0 as soon as possible.
I want to build two application client (some python/java program) and server (Google App Engine application) and authenticated with google acount from client to server to get some secret information.
Let me explain scenario:
Server has address https://example.appspot.com.
Client want download restricted information from https://example.appspot.com/restricted so this url is defined and login: required in app.yaml.
Client use some Google Account example_login and example_password to get access.
How properly authenticate from client into Google App Engine to get access to https://example.appspot.com/restricted?
Another easy method, without login, is to use HMAC. You create a MAC signature based on timestamp (to make every request unique) and a secret MAC KEY. You request contains the timestamp and the MAC signature. The server can verify the MAC, because it also has the secret MAC KEY.
This Python code works on both sides (client and server)`:
import hmac, base64, hashlib
new_hmac = hmac.new(key=my_secret_MAC_KEY, msg=timestamp_in_request, digestmod=hashlib.sha256)
signature = base64.b64encode(new_hmac.digest()).decode()
if signature_in_request != signature : raise ValueError('access denied')
This works fine for a single user, because you have to manage a single key. When you have a lot of users, client login is a much better option.
--First a little background:--
I have already managed to connect to a Microsoft web service using C#. To use this web service, I have to supply a username and a password in the C# code. I also have to install a certificate (in .cer format) into the "Root Certificate Authorities" section of the system's certificates.
(By the way, the C# class I use to connect to the service was automatically generated for me with the command line tool "svcutil.exe https://address.of.service")
--Here is my question:--
How can I connect to this web service using Axis2/C? The example in the documentation is of a completely different nature -- it asks for a certificate, key file, and a passphrase. In my case, it is username, password, and a .cer file.
So I'm not sure where to even begin. I don't know where my .cer file, username and password should go exactly. Any ideas?
If at all possible stay away from Axis2, perhaps use gSOAP instead.
That said, figure out which of the HTTP libraries you are building Axis2 with (I believe it can use a number of different ones depending on which OS you are building etc).
Also you might want to update your question with the reference to the sample program you are talking about and relevant excerpt from the C# client for reference.