tags:

views:

197

answers:

4
Q: 

How to avoid hard-coded credentials in Sharepoint webpart?

I am building a Sharepoint web part that will be used by all users, but can only be modified by admins. The web part connects to a web service which needs credentials. I hard coded credentials in the web part's code. 

query.Credentials = new System.Net.NetworkCredential("username", "password", "domain");

query is an instance of the web service class

This may not be a good approach. In regard with security, the source code of the web apart is available to people who are not allowed to see the credentials.

In normal ASP.net applications, credentials can be written into web.config and encrypted. A web part doesn't have a .config file associated. There is a application-level .config file for the whole sharepoint site, but I don't want to modify it for a single webpart. I wonder if there is a webpart-specific way to solve the credential problem? Say we provide a WebBrowsable property of that web part so that privileged users can modify credentials. If this is desirable, how should I make the property displayed in a password ("*") rather than in plain text?

Thanks.

+1  A: 

Read the user name and password out of an encrypted section of the configuration file. See http://blogs.techrepublic.com.com/programming-and-development/?p=448 for more info on programmatic uses.

Tom Cabanski  2010-04-20 22:13:29
This is good for a general ASP.net site. But for a web part, I may not want to put credentials in a .config file that is used by the whole site. Is there a webpart-specific solution? Thanks.
Bryan  2010-04-20 22:45:31
-1 if the attacker can read the file containing the password then they will be able to read the key that is being to used to encrypt it. This is **not** a problem that cryptography solves.
Rook  2010-04-20 23:29:44
+1  A: 

In addition to the above, you can store the credentials (securely, of course) on the server, be it config file symlinked in, a file in a known location (e.g., common directory) or even (not recommended) in the environment.

A bonus of this method is it allows dev/test/whatever to have different credentials and not interfere with production while developing/testing/etc.

BryanH  2010-04-20 22:16:22
Thanks. A nice solution. I'm wondering whether the file solution will cause extra effort in deployment and maintenance. I'll have to keep the file and webpart coordinated. When the file is moved or deleted for some reason, the webpart may not work. I'm hoping for a solution to integrate the credential in the webpart. thanks!
Bryan  2010-04-20 22:50:53
If you are running on *nix, you could NFS mount to a 'credentials' volume. That would give you the benefit of having one location to update, and a bit more security (mount read only, etc).
BryanH  2010-04-22 15:04:56
+1  A: 

If you want the web part to be independent of other parts of the system, a property is the simplest option. The main downside to that approach is that you can't set permissions for individual properties, so users will see it. You could have the value be a hash (calculated elsewhere by the admin before adding the web part) but I don't think I'd call that a good solution.

If you want to provide ui to admins only, you should create a custom settings page (CustomAction + layouts page) which saves the credentials in a site property, possibly encrypted so that they can only be read by your custom code in the web part and settings page.

Tom Clarkson  2010-04-20 23:29:27
Thanks. If I want to provide a credential property to admin, how can I make sure the text is displayed in "*"s? Using custome ToolPane?
Bryan  2010-04-20 23:41:33
If you mean in a web part property, I'm not sure how much control you get - I was thinking it could be encrypted so that it can only be used by your web part and it doesn't matter if the user sees it. If you mean in the custom settings page, it's just a standard .net page and you can use whatever design you want.
Tom Clarkson  2010-04-20 23:55:27
+1  A: 

Create custom toolpart, check for condition like SPWeb.UserIsWebAdmin, if so, render fields needed for credentials (input textbox, masked textbox etc).

Janis Veinbergs  2010-04-21 06:03:45

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security