Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Configuration API Improvements in ASP.NET 2.0 : Page 2

By introducing a spate of new configuration-specific features, .NET 2.0 makes managing your deployed .NET applications a breeze.

Encrypting and Decrypting Connection Strings
Keeping unencrypted connection strings in your web.config file isn't ideal. Fortunately, in addition to reading connection strings from a configuration file, you can also use the Configuration APIs to encrypt individual sections so that confidential information such as connections to your databases are not stored in plain text. To encrypt a configuration section, you invoke the ProtectSection() method of the SectionInformation object.

The NET 2.0 Framework ships with two types of providers: DataProtectionConfigurationProvider and RSAProtectedConfigurationProvider. You supply the ProtectSection() method with the encryption algorithm to use. The example shown in Listing 1 uses the built-in DataProtectionConfigurationProvider, and displays a form containing two buttons that you can use to encrypt or decrypt the connection string stored in the web.config file.

Before viewing the output of Listing 1 in a browser, place the following connection string section in your web.config file.

<connectionStrings> <add name="pubs" connectionString="localhost;integrated security=true;database=pubs;" /> </connectionStrings>

As you can see from Listing 1, you can access the configuration file for any location in the config hierarchy using the ConfigurationManager's OpenWebConfiguration method, passing a virtual path to retrieve the configuration file for that location. The method returns a Configuration object that you can use to view the combined configuration (inherited across all configuration files starting from machine.config file) for that location. You use the SectionInformation class to access, protect (encrypt), and unprotect (decrypt) specific sections. Table 2 shows the important methods and properties of the SectionInformation class.

Table 2. SectionInformation Properties and Methods: The table shows some important properties and methods of the SectionInformation class

Property or Method



This method returns an XML node object containing the XML representation for the associated configuration section object.


This method encrypts a specific configuration section by using the supplied provider.


This method decrypts a specific configuration section that is already encrypted using the ProtectSection method


This property returns a value indicating whether the associated configuration section is locked.


This property returns the name of the configuration section.


This property returns the name of the associated configuration section.

When you run the code in Listing 1 and click on the Encrypt button (see Figure 1), you'll find that it modifies the web.config file, adding a section named protectedData as shown below.

<protectedData> <protectedDataSections> <add name="connectionStrings" provider="DataProtectionConfigurationProvider" inheritedByChildren="False"/> </protectedDataSections> </protectedData> <connectionStrings> <EncryptedData> <CipherData> <CipherValue>AQA------------ FnvpHa1iy4Oww=</CipherValue> </CipherData> </EncryptedData> </connectionStrings>

Figure 1. Output Produced by Clicking the Encrypt Button: When you click the Encrypt button, the application encrypts the connection string from the web.config, then retrieves and decrypts it and displays the decrypted string in the browser.
Clicking the Encrypt button also results in the connection string being displayed in the page. This is shown in Figure 1. Note that even though the connection string is encrypted in the web.config file, when you retrieve the connection string programmatically, ASP.NET automatically does the decryption for you.

In Listing 1, note that the UnProtectSection() method, unlike ProtectSection(), does not require a provider name. When a section is encrypted, ProtectSection () stores information regarding the provider used to perform the encryption in the web.config file. You can see information about the provider from the web.config file entries shown above. The UnProtectSection() method uses that information to determine which provider to use to decrypt the data.

When you click on the Decrypt button shown in Figure 1, you'll see a message indicating that the connection string is decrypted and stored in the web.config file.

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date