I am creating a windows service that has to send an email out at specific intervals to various people. I am using an account on a server that I need to connect with securely.
I found this reference: https://nimblegecko.com/how-to-store-login-details-securely-in-application-config-file/
the code I was trying to implement is this:
var configuration = ConfigurationManager.OpenExeConfiguration(Assembly.GetExecutingAssembly().Location);
configuration.AppSettings.Settings["username"].Value = EncryptString("new username", configPassword);
configuration.AppSettings.Settings["password"].Value = EncryptString("new password", configPassword);
configuration.Save();
My question is encoding the username and password as fixed text still seems to result in the same exposure as hard-coding it right?
any help would greatly be appreciated?
Uhm... Don't store in AppConfig settings.
If you cannot use a database for that (storing hashed and encrypted strings) get a new file for that, you can even protect it to allow only the service user account to read/modify it, or store it on the service profile directory (its user account profile directory)
I would do it using an ini file structure more easy to read than an xml, where each line contains something like
var mergedCredential = string.Format("{0}|{1}", "user#here.com" , "P#ssw0rd");
User1HashedCredentials=EncryptString("new username", mergedCredential);
I used a pipe to "merge" the credential as you can prevent users to use it on username
When you decrypt you split by "|"
var credentials = DecryptString("new username", User1HashedCredentials);
var splitted = credentials.Split('|');
Username = splitted[0]
Password = splitted[1]
An example of ini file:
[Users]
Count=5
[SendEmailSection]
User1=dsaa$#asdasd$##rr==
User2=dggggjh7/sd$##rr==
User3=dsaasd"/$%asdasd$##rr==
User4=dsas/&"dasd$##rr==
User5=dsAa&s3dasd$##rr==
Which is easier to mantain and modify. You can even make your own specialized ini reader/writer Read sections, split by "="
I do not suggest to store credential in app.config file. if you are planned to store there then you should store with proper encryption and decryption.
for you info you can refer this link
But I would suggest you to use window credential manager to store your password
for more details you can use their nuget package and their sample
Nuget
Another reference
Github
You can find it in your app's Preferences.
Right click on your project. Select add. Add .settings form. Then crate a table which contains email, password etc.
Related
I want to store my credintial like email and password hardcode on my code, when I create jwt token then I want to use it. Can I do this??
If it possible how to access email and password.
First of all you can use credentials class and some collection of them in memory.
Secondly, you can use database
But: It is in general not recommended to store the user's password anywhere without encryption
Example: User -> Max#gmail.com, Password -> qwerty123 must be stored as: Max#mail.com and pass as awofi12312ASOIFDAOSF#?#?"!£!". No matter where: in memory, in db.
For usage you must also implement decryption in order to check credentials from encrypted value to it's decrypted state (from -> awofi12312ASOIFDAOSF#?#?"!£!" to -> qwerty123)
You can use the settings file to overcome this problem. Go to the Add New Item window and select the settings file. Then it will open a table and put "email" and "password" to identify the references. And also you need to select the data type and if you want to add a default value, you can add that one here too.
So you can read data by this line,
bool dataSaved = savedSetting.Default.dataSaved;
And also you can write data by this code,
savedSetting.Default.dataSaved = true;
savedSetting.Default.Save();
var client = new AmazonCognitoIdentityProviderClient("MYKEY", "MYSECRET", RegionEndpoint.USEast1);
var request = new AdminGetUserRequest();
request.Username = "USERNAME";
request.UserPoolId = "POOLID";
var user = client.AdminGetUserAsync(request).Result;
The key/secret are authenticating as a user with Administrator Access. For good measure, I've also given it the AmazonCognitoPowerUser policy.
The region endpoint is correct and the same as the one my user pool is in. The user pool Id is correct. The first part of the user pool ID matches the region.
I'm at a loss for where else this could possibly be going wrong. Any ideas?
Update 8/2/19
Manual CLI command:
PM> aws cognito-idp list-user-pools --region us-east-1 --max-results 10
{
"UserPools": []
}
The region is correct, so there must be some issue with permissions. Is there anything I could try tweaking on the pool, or other policies I may need to add to the user?
So, it looks like this is some sort of AWS glitch with the existing IAM user.
Having created a new user with exactly the same permissions, access works as intended both from CLI and the code in the original question.
Actually your configuration can be wrong , you downloaded awsconfiguration.json and it looks like same I know.. but this configuration can be wrong. When you examine the json you will see a field.. "CognitoUserPool": {PoolId, appclient id ..}
You need to open your user pool and create new client or control existing client information. Check your awsconfiguration.json again with this webpage's pool id, appclient id etc. Update your json... it will solve the problem.
I ran into this problem with the AWS CLI and it puzzled me too, but I learned that I needed to provide the profile name in the parameter list to get it to work. So it looked like this:
aws cognito-idp admin-get-user --profile dev-account ....
My profiles are stored on my Mac at cat ~/.aws/config| grep profile
The config file is created by an in-house custom script. This is the contents of what that file looks like.
[profile dev-account]
sso_start_url = https://yourcompanyname.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = 1234567890
sso_role_name = PowerUserAccess
region = us-east-1
output = json
Also, in this folder is a "credentials" file that has some JSON for these variables: profile name, aws_access_key_id, aws_secret_access_key, aws_session_token, aws_expiration
I am trying to use Pgina-fork to modify windows logon. Instead of using username and password, I want to login user with a single field authentication that doesn't use a password . I am done with custom plugin modifications and building procedures but am not able to find a way to modify the logon UI. I need to hide the password field and modify other info that is not useful to me. If anyone knows how to do that in the Credential provider source code of Pgina-fork ?
You need to modify pGina Fork source Code for that.
pGina src have a folder named CredentialProvider.. that is what you need
In file credential.cpp
you can use this code
//hide password
m_fields->fields[m_fields->passwordFieldIdx].fieldStatePair.fieldState = CPFS_HIDDEN;
if (m_usageScenario == CPUS_CHANGE_PASSWORD) {
m_fields->fields[CredProv::CPUIFI_NEW_PASSWORD].fieldStatePair.fieldState = CPFS_HIDDEN;
m_fields->fields[CredProv::CPUIFI_CONFIRM_NEW_PASSWORD].fieldStatePair.fieldState = CPFS_HIDDEN;
}
This is the block of code which main pGina provides.
I tried to store user credential in registry editor.It was successfully worked.
RegistryKey key;
key = Registry.CurrentUser.CreateSubKey(#"SOFTWARE\\XXX\\Credential");
key.SetValue("Name", txtusername);
key.SetValue("Password", password);
key.Close();
how to store user credential securely in credential manager for wpf application?
If the credentials are to be used only from within the application itself then you can encrypt them and add them to your app.config file.
Create an application setting of type connectionstring and call it say myconnectionstring
Using Common.DbConnectionStringBuilder you can build then "connection string" with your username and password off the back of a dialog box that asks the user to enter them.
Then (in VB)
Dim config As System.Configuration.Configuration = System.Configuration.ConfigurationManager.OpenExeConfiguration(System.Configuration.ConfigurationUserLevel.None)
Dim section As System.Configuration.ConnectionStringsSection = DirectCast(config.GetSection("connectionStrings"), System.Configuration.ConnectionStringsSection)
section.ConnectionStrings(My.Settings.ToString & ".myconnectionstring").ConnectionString = ConnectionString
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
config.Save(System.Configuration.ConfigurationSaveMode.Modified)
System.Configuration.ConfigurationManager.RefreshSection("connectionStrings")
This should save it encrypted in app.config
When read the data back out, .Net will take care of all of the decryption for you.
Simply create another Common.DbConnectionStringBuilder object, assign its connectionstring property to Configuration.ConfigurationManager.ConnectionStrings(My.Settings.ToString & ".myconnectionstring").connectionstring then read fields you need.
Hope this helps
I'm working on a project where the client wants to restrict some content to only Active Directory users . Is there any way to identify that a SPUser is an AD user short of parsing the username string for the domain (or something along those lines). Something like SPUser.IsADUser would be awesome.
Edit
This seems to work, but I'm not sure if this is reliable enough? For this use case, identifying that a user is a windows user is enough (there are no local system accounts)
SPUser user = SPContext.Current.Web.CurrentUser;
string userName = user.LoginName.Substring(user.LoginName.IndexOf('|') + 1);
SPPrincipalInfo info = SPUtility.ResolveWindowsPrincipal(SPContext.Current.Site.WebApplication, userName, SPPrincipalType.User, false);
if(info != null){
//THIS IS A WINDOWS ACCOUNT
}
In my experience it is much better to use audiences for this purpose. You then can easily trim any web part using "Audience" property. You can read about audiences here. Of course it will only work if you have user profile synchronization configured.