views:

197

answers:

4

I am building a Sharepoint web part that will be used by all users, but can only be modified by admins. The web part connects to a web service which needs credentials. I hard coded credentials in the web part's code.

query.Credentials = new System.Net.NetworkCredential("username", "password", "domain");

query is an instance of the web service class

This may not be a good approach. In regard with security, the source code of the web apart is available to people who are not allowed to see the credentials.

In normal ASP.net applications, credentials can be written into web.config and encrypted. A web part doesn't have a .config file associated. There is a application-level .config file for the whole sharepoint site, but I don't want to modify it for a single webpart. I wonder if there is a webpart-specific way to solve the credential problem? Say we provide a WebBrowsable property of that web part so that privileged users can modify credentials. If this is desirable, how should I make the property displayed in a password ("*") rather than in plain text?

Thanks.

+1  A: 

Read the user name and password out of an encrypted section of the configuration file. See http://blogs.techrepublic.com.com/programming-and-development/?p=448 for more info on programmatic uses.

Tom Cabanski
This is good for a general ASP.net site. But for a web part, I may not want to put credentials in a .config file that is used by the whole site. Is there a webpart-specific solution? Thanks.
Bryan
-1 if the attacker can read the file containing the password then they will be able to read the key that is being to used to encrypt it. This is **not** a problem that cryptography solves.
Rook
+1  A: 

In addition to the above, you can store the credentials (securely, of course) on the server, be it config file symlinked in, a file in a known location (e.g., common directory) or even (not recommended) in the environment.

A bonus of this method is it allows dev/test/whatever to have different credentials and not interfere with production while developing/testing/etc.

BryanH
Thanks. A nice solution. I'm wondering whether the file solution will cause extra effort in deployment and maintenance. I'll have to keep the file and webpart coordinated. When the file is moved or deleted for some reason, the webpart may not work. I'm hoping for a solution to integrate the credential in the webpart. thanks!
Bryan
If you are running on *nix, you could NFS mount to a 'credentials' volume. That would give you the benefit of having one location to update, and a bit more security (mount read only, etc).
BryanH
+1  A: 

If you want the web part to be independent of other parts of the system, a property is the simplest option. The main downside to that approach is that you can't set permissions for individual properties, so users will see it. You could have the value be a hash (calculated elsewhere by the admin before adding the web part) but I don't think I'd call that a good solution.

If you want to provide ui to admins only, you should create a custom settings page (CustomAction + layouts page) which saves the credentials in a site property, possibly encrypted so that they can only be read by your custom code in the web part and settings page.

Tom Clarkson
Thanks. If I want to provide a credential property to admin, how can I make sure the text is displayed in "*"s? Using custome ToolPane?
Bryan
If you mean in a web part property, I'm not sure how much control you get - I was thinking it could be encrypted so that it can only be used by your web part and it doesn't matter if the user sees it. If you mean in the custom settings page, it's just a standard .net page and you can use whatever design you want.
Tom Clarkson
+1  A: 

Create custom toolpart, check for condition like SPWeb.UserIsWebAdmin, if so, render fields needed for credentials (input textbox, masked textbox etc).

Janis Veinbergs