First, I have two project working on: ASP.NET and Silverlight
Both uses a class (QueryServiceClass in a library class project) that have query methods to access the database with ADO.NET, manipulating the database. (open connection to database, add customer, edit, update etc.)
So I stored them into a C# Class library and it shared with ASP.Net and Silverlight.
ASP.NET project and Silverlight's Web project will have a reference to the QueryServiceClass project.
But then if I publish the ASP.NET/Silverlight Project, the QueryServiceClass project's dll file should also be published ( the dll should be locate in the server side at this point).
Because the QueryServiceClass's method has to be public so ASP.NET/Silverlight project can use it.
So someone might able to use that dll to access the database? Would that be safe?
======
Edit
In the Silverlight's Web Project, I am using WCF inhert the QueryServiceClass and an Interface to access the database, so on Silverlight Client, it will access the database through the WCF.
I am more concern on someone might take the dll file from the server and give to someone.
Thanks in advance.
King
You can make your members internal instead of public and modify the AssemblyInfo.cs class and make internals visible to specific asseblies.
[assembly: InternalsVisibleTo("OtherLib.Domain.Stuff")]
This doesn't keep someone from disassembling your DLL to get the info, but will keep people from using your dll in their code.
Public or not, that will not be safe. If your thing accesses a database without proper access restrictions, in any way, from a non-trustworthy computer, your database will be wide open.
The correct way to do this is to put a web service between your Silverlight thing and the database and do thorough access checks in the service.
Probably the safest way to prevent any issue is to not allow remote access to your database from the public internet. This is usually handled by having a service run on a web server (the service could be a website) and then connecting to the database with the service. Basically, you should ensure that no connections can be made directly to the database server from a machine outside of your network.
You can make this safe by storing your DB login credentials in a config file and encrypting them. Then they could access the dll, but without valid credentials could not connect to the DB.
Here's an article that describes encrypting values in a web.config file.
Edit: Combine this with Chris's suggestion, and you have a good, secure solution.
Even if you made the methods private, they could use reflection or decompile the DLL to get your code and then access the database.
You could have a WCF service which does all DB interactions and the client connects through the service. This way a direct connection can't be made but methods could still be called if the end user can determine the location and authentication scheme, etc., of your WCF service.
You could just store and encrypt the connection info the config file.
Related
I want to create a game within the Unity game engine in C# with .NET where I can securely connect out to a private server, and read and write data from/to the server. I understand how to do this in a non-secure way, where I would setup a private SQL database with a webpage interface between the two.
My problem comes here, I know if I want the web interface to be public, I need credentials to connect to the server, such as an Auth key, or username and password. However, in order to use those, then the auth-key would need to ship with the game as a file, or would need to be written directly into the codebase. I know that users can decompile games, and access these files and get the credentials if I include them, which means that option is off the table as far as I am aware.
It is my understanding that even with this layer between the database and the client, someone could still find the url for the interface between them, and then send custom function calls to this url as I will be doing in the game program. Wouldn't this lead to the same conclusion as having the database be open?
If anyone has answers to this, or resources where I can learn about this process, please let me know! I have never done server-side programming before and have also never thought about security before in my life.
You're correct in that you should not embed authentication keys into your apps. Where you're falling down is in exposing your database to the world. Don't do this. Instead, hide it behind a web server that serves only json data files. This way you can take advantage of the web server's authentication and session protocols.
Since you're already working with C#, I would suggest looking into ASP.NET Core MVC and specifically about WebAPI. But I would probably recommend node.js for lightweight microservices.
I would like to add a password protected page to my WPF modernUI application and could use some help with it.
First of all I don't really have a clue how to handle this stuff correctly in my case.
My application is used on several machines. The protected page should be some kind of admin-page to edit a database that is used by the app.
My idea is, that there is only one Admin-account. But this account can be used from any machine. The admin should be able to change his password. So there must be some kind of encrypted password file on the server which can be accessed from any machine. I don't want to store the password within the application, as this would mean that the admin has to change his password on every machine.
So my question is: What is the best/safest solution for my idea? I'm just looking for hints as I don't have a clue what to search for.
The best Practise nowadays for distributed client applications who share a Database is indeed not to have direct access to the Database.
What you need is a WebService. A web service can be anything. It just has to be hosted somewhere. It can be an ASP.NET application, a WCF Service, or even something not .NET related like a PHP or Java application.
The communication between your application and your WebService depends on what you decide to use. Today a lot of people are using so called REST APIs which use either XML or JSON as data transfer format and use the HTTP protocol.
Its not hard to implement such an API since there are ton of Libs and Solutions out there.
You could use RestSharp for the communication at your client side. Which is straight forward and simple. You could also consume a WCF Service. Which is hosted in IIS somewhere.
However your Problem is nothing special and there are several solutions available. The decision is on your side since it depends on a lot of things such budget, available infrastructe etc.
Your question is quite broad but as far as WPF is concerned you could implement custom authentication and authorization in your application by creating classes that derive from the IIdentity and IPrincipal interfaces and overriding the application thread’s default identity. Please refer to the following blog post for more information an an example.
Custom authorization in WPF: https://blog.magnusmontin.net/2013/03/24/custom-authorization-in-wpf/
The actual credentials should be stored on some remote server that may be accessed through a web service, WCF service or some other kind of API. The details of how to actually get the credentails would be implemented in the AuthenticationService class in the sample code from the above link.
I have a silverlight application which accesses its data through RIA Services, from a WCF app in the server. The current structure looks like this:
DataWebServer - A Web application project, which holds the .aspx page that will call the Silverlight components, the .edmx model file and a MyService class, inheriting from LinqToEntitiesDomainService<FortWayneDB>.
Silverlight App - Contains .xaml e .cs files that will generate the .xap binary files, hosted by the WebServer. It access "DatawebServer" project through RIA Services.
It's all working fine, but now I need to create a new application, and since we will going to need it to run on platforms like tablets and smartphones, we decided to build it in HTML5, instead of Silverlight.
How can I make this new WebApp to access the data entities on "DataWebServer" project?
I think of 3 different solutions, but I'd prefer the third one, which exactly my question.
I could place the new WebApp in a folder in the same webprojeect "DataWebServer", but that wouldn't be very organized, I'd rather separate this app from the "DataWebServer".
The second alternative, which I will follow in case I can't succeed with the third, is to create WebMethods in "DataWebServer" to be accessed from my new WebApp.
the third, which I don't know how to do, is to make my new Web App to access the Entities through RIA Services, in the same way the Silverlight Client does. I've searched the Internet, but all articles I've found show how to access RIA Services from the same project. Does anyone know how I can do that?
The first method is the most sensible.
From your details, I assume the DataWebServer is "publicly" accessible; at least as much as your WebApp would be. There is little value in having WebApp data requests go to a different server, DataWebServer, as this introduces an unnecessary delay while one web server calls another. Instead of re-using the HTTP services from DataWebServer, add the WebApp functionality to the DataWebServer and re-use the LinqToEntities context.
If you desperately want the third option, you should consider creating your WebApp in a way that the JavaScript in the app calls the DataWebServer for data from the client's browser. Importantly, this approach avoids WebApp web server calling to DataWebServer for data.
So I'm working on a personal project to write an app that syncs with a free web service. They have a free api to let third parties connect and both retrieve information, as well as control the accounts themselves.
This is all fine and good but in order to do so, all apps need to be registered on their site for a developer key. This is a static key that allows my app to connect and perform actions.
But that is the rub; I would like to make this an open source app but that would reveal my developer key to anyone who downloads and looks at the code.
Is there a way to hide this key; to keep the source open but not make the key public?
One possible solution would be to write a web service / API of your own. In there you store your API key to the other third-party service. Then, in your open-source app you would make a call to YOUR service which in turn uses the stored (and never revealed) API key to communicate to the third-party.
This will keep your key private and as you are making external calls from your app anyway this should not matter. It also has the added advantage that you control whole ecosystem rather than people making direct call to the third-party.
The down-side? Well, it won't be fully open-source but it is probably as close as you will be able to get while keeping some of it private.
I have created a project which is basically described as a consumable service to create or edit users on a remote computer. The idea is to connect to a server and add a user. The structure of the project is as follows:
WCF Service: to expose functions to create/edit/select users
Utility assembly: Netapi32 COM functions wrapped in a utility class
Consumer: Usable assembly that wraps calls to the WCF service to use in site
The problem I am having, is that I can get a list of all the users on the computer running the WCF service, but i cannot create or edit them. it is only giving me readonly functionality.
Does anyone have any idea how I might be able to fix this or even trouble shoot it?
The account that actually runs the WCF Service may very well not have rights to create or edit users.
Make sure your service is running under an admin user that actually has the rights to create users. If you use the default user for IIS i bet it does not have that kind of access.