I need to store authentication information and I rather not have the password in plain text:
<property name="user" value="theUser"/>
<property name="password" value="secret"/>
Has anyone figured out a way to encrypt property values in Nant?
I've looked in Nant and Nantcontrib docs but no mention of encryption. I am considering going the route of creating my own Nant Task.
Any suggestions?
Related
I've developed a asp.net web api2 service to use in phonegap mobile application.
Asp.net web api2 service is running fine
I've tested it from any site like localhost/abc or www.abc.com by ajax call. The response is ok
But phonegap have no response.
I've used
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
</customHeaders>
in my service.
I've used
<access origin=".*" />
in phonegap.
But no result.
Please help me in resolving this.
#Debashis,
in all likelyhood you have NOT implemented the CSP (Content Security Policy). This policy needs to implmented at the webpage level. See below.
Quick to many common white-list problems
The alternative is this quick fix – but know that this fix removes all needs for white-list. This creates a security issue which you may not want to by pass.
QUICK FIX Add this to your config.xml
<preference name="phonegap-version" value="3.7.0" />
The long answer is as such:
From Top Mistakes by Developers new to Cordova/Phonegap you have hit:
#6 Not setting the "phonegap version" for your compiler
#7 Not setting "version" for you plugins
#10 Not adding the new "white-list" and "white-list plugin" parameters in config.xml.
For #6 & #7
With the CLI version, if you do not assign a version for your platform OR in ''Phonegap Build'' if you do not set the phonegap-version in config.xml, YOU WILL GET THE LATEST VERSION. If you are lucky, your program just works as expected. If you are not lucky, you'll get a set of cascading errors.
Luckily for all of us, Holly Schinsky has written a nice blog post to explain it all:
Cordova/PhoneGap Version Confusion
http://devgirl.org/2014/11/07/cordovaphonegap-version-confusion/
For #10
This relatively * NEW * requirement means – to access ANY website or resources on the web, you MUST use the whitelist and the whitelist plugin. This requirement goes into affect, if you are using cordova-android#4.0.0 or better; including cli-5.1.1 and cli-5.2.0. If however, your version is before 4.0.0, let's say 3.5.0 or 3.7.0, then you will not have to add the white-list requirement.
To be clear, the "whitelist" has been around for a bit, but the plugin and requirement is very new. As you would expect, when the "whitelist" was added, the defacto open-access feature was deprecated. Or said another way, the defacto open-access feature was planned and scheduled to be eliminated. This change marks a step in removal of the open-access feature.
In addition, the Content Security Policy (CSP) has caught numerous developers - because it was soooo poorly publicized. Depending on your use and the version of Phonegap you are using, the CSP needs to go in every single HTML page you used, just like you have to wait for 'deviceready'. However, there are cases where it is not needed at all. The documentation is confusing for some, please read it carefully. The documentation is buried in the bottom of many of the latest documentation pages.
Related Links
Phonegap Build Forum: Notes for upgrading to cli-5.1.1 on PGB and now required Whitelist
Cordova Whitelist Guide
Phonegap Whitelist Guide
Phonegap Build Whitelist Guide
I am hoping to use Spring flash messages. One way to enable it is to use <mv:annotation-driven/> in spring-servlet.xml. However, it causes problems to other parts of the application, and I found the explanation here
How to register handler interceptors with spring mvc 3.0?
I have interceptors defined in spring-servlet.xml
<bean id="handlerMapping"
class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<property name="interceptors">
<list>
interceptors
</list>
</property>
</bean>
I tried the use of <mv:annotation-driven/> plus moving interceptors under <mvc:interceptors>, but it caused other problems.
So IF I want to use the flash messages tool, can I make it work without having
<mv:annotation-driven/> or using <mvc:interceptors> in spring-servlet.xml?
Regards and thanks.
I was just looking at this myself and found this post that may be useful to you.
Using the Flash scope ( and RedirectAttributes ) without <mvc:annotation-driven /> in Spring MVC 3.1
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 9 years ago.
I have to store uploaded file version and previous file name and version permanently, moreover, I need to update and retrieve that information, but I'm not using any databases for this application. Is it possible to keep data in Web.Config file and able to update?
Don't keep it in Web.Config. Updating web.config would cause application pool to recycle, instead store it in some XML file if you want to. Not really sure why you want to avoid database for this purpose but you can even store it in a file based database like SQLite
You can keep the data in the web.config if you want to, but i wouldn't really recommend it.
But If its a small app and don't really care about user's session state / application pool, then i don't see why not.
<configuration>
<appSettings>
<add key="Version" value="2.0.0.0" />
</appSettings>
</configuration>
Then you can retrieve the data as follow
ConfigurationManager.AppSettings["Version"]
However you can create your own xml file then retrieve it in your code as follow
xml
<ApplicationConfig>
<Version>2.0.0.0</Version>
</ApplicationConfig>
Then in your code
if (File.Exists(configFile))
{
var xml = XDocument.Load(configFile);
if (xml.Root != null)
{
var version = xml.Root.Elements("ApplicationConfig").Elements("Version").Value
}
}
Storing the data in file is one way to go. There are just a few things to be aware of:
Use App_Data subfolder but also make sure that your application pool identity has write permissions there.
Use a thread-safe approach for writing and reading that file (such as a global lock).
Alternatively you could write the value in the registry under HKEY_CURRENT_USER. This approach would not require setting permissions on the file system which sometime is not possible.
Just in case the information you store is unique to the user you might want to use ASP.NET Profile. Since you don't want to use database you can use a custom provider that stores the data in XML files.
I was looking for proper way how to recieve active/logged in user. I use Spring Security 3.1 with the same version of Spring MVC.
The whole idea is based on this topic which was more commented in the article :
#ActiveUser annotation from the article
I completely follow the instructions but I still get this kind of error :
No default constructor found; nested exception is java.lang.NoSuchMethodException: org.springframework.security.core.userdetails.User.<init>()]
In my applicationContext.xml I have those three annotations which were not directly proposed by the author of
<context:annotation-config />
<context:component-scan base-package="my.package.*" />
<mvc:annotation-driven />
What could cause this kind of problem?
After hours of searching on internet I found out how should I solve the problem. As it might be useful for others I offer solution.
This kind of problem has in Spring 3.1(which I use) different solution than in Spring 3.0(for which the mentioned tutorial was ment). Great article about the problem was presented here : enter link description here
I have a website about to go live. I'm wondering what I should be doing about the connectionstring in the web.config. Do I obfuscate it and it so how?
Thanks!
The standard method is to encrypt it. http://ondotnet.com/pub/a/dotnet/2005/02/15/encryptingconnstring.html
However, another good option is to store it in the registry and set the permissions so that only the asp.net runtime can access it.
See this article: http://msdn.microsoft.com/en-us/library/ff649224.aspx and this KB: http://support.microsoft.com/kb/821616
Although I do have to say that using the registry does tend to complicate deployment and using text/staging servers a bit. We did it... ONCE and then went back to encrypting.
You can encrypt the <connectionStrings> section in your web.config - see How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
Here is an example for the same;
http://whatilearnttuday.blogspot.in/2012/02/use-of-configurationproviders-to.html
Since you didn't provide any information about this in your question I will assume you have credentials in your connection string.
From a security perspective you should try to avoid this, use Windows Authentication if possible. Obviously this requires that you have access to an Active Directory environment and all the servers are deployed in it.
If not, it's always better to lock down the web-server instead of trying to make sure that files on disk are secure from tampering by different users.
If even this is not possible then I would follow the approach given by the other replies, encrypting the sensitive content with DPAPI.
You could simply encrypt your entire web.config file:
See the steps here:
http://www.proworks.com/blog/archive/encrypting-your-webconfig/