随着 web.config 的消失,在使用ASP.NET Core构建的Web应用程序的配置中,存储敏感信息(密码,令牌)的首选方法是什么? ?
有没有一种方法可以自动获取 appsetttings.json 中的加密配置节?
解决方案用户机密看起来是存储密码(通常至少在开发期间开发中)存储应用程序机密的好方法。 / p>
检查此文章或此。您还可以检查此其他问题。
这只是在开发过程中隐藏您的秘密,并避免将其透露到源代码树中的一种方法;
如果您想将加密的appsettings.json引入生产环境,则可以使用秘密管理器工具对存储的秘密进行加密,因此不应将其视为受信任的存储。对此没有限制。您可以构建自定义配置提供程序。 检查此。
例如:
公共类CustomConfigProvider:ConfigurationProvider,IConfigurationSource { public CustomConfigProvider() {} 公共重写void Load() {数据= UnencryptMyConfiguration(); } private IDictionary< string,string> UnencryptMyConfiguration() { //做任何您需要在这里做的事,例如加载文件并通过密钥解密密钥//类似: var configValues = new Dictionary<字符串,字符串> { { key1, unencryptedValue1}, { key2, unencryptedValue2} }; 返回configValues; } private IDictionary< string,string> CreateAndSaveDefaultValues(IDictionary< string,string> defaultDictionary) { var configValues = new Dictionary< string,string> { { key1, encryptedValue1}, { key2, encryptedValue2} }; 返回configValues; } public IConfigurationProvider Build(IConfigurationBuilder builder) { return new CustomConfigProvider(); } }为扩展方法定义一个静态类:
公共静态类CustomConfigProviderExtensions { public static IConfigurationBuilder AddEncryptedProvider(此IConfigurationBuilder构建器) { return builder.Add(new CustomConfigProvider()); } }然后您可以激活它:
//设置配置源。 var builder = new ConfigurationBuilder() .AddJsonFile( appsettings.json) .AddEncryptedProvider() .AddJsonFile($ appsettings。{env.EnvironmentName} .json ,可选:true);
With web.config going away, what is the preferred way to store sensitive info (passwords, tokens) in the configurations of a web app built using ASP.NET Core?
Is there a way to automatically get encrypted configuration sections in appsetttings.json?
解决方案User secrets looks like a good solution for storing passwords, and, generally, application secrets, at least during development.
Check this article or this. You can also check this other SO question.
This is just a way to "hide" you secrets during development process and to avoid disclosing them into the source tree; the Secret Manager tool does not encrypt the stored secrets and should not be treated as a trusted store.
If you want to bring an encrypted appsettings.json to production, there is no limit about that. You can build your custom configuration provider. Check this.
For example:
public class CustomConfigProvider : ConfigurationProvider, IConfigurationSource { public CustomConfigProvider() { } public override void Load() { Data = UnencryptMyConfiguration(); } private IDictionary<string, string> UnencryptMyConfiguration() { // do whatever you need to do here, for example load the file and unencrypt key by key //Like: var configValues = new Dictionary<string, string> { {"key1", "unencryptedValue1"}, {"key2", "unencryptedValue2"} }; return configValues; } private IDictionary<string, string> CreateAndSaveDefaultValues(IDictionary<string, string> defaultDictionary) { var configValues = new Dictionary<string, string> { {"key1", "encryptedValue1"}, {"key2", "encryptedValue2"} }; return configValues; } public IConfigurationProvider Build(IConfigurationBuilder builder) { return new CustomConfigProvider(); } }Define a static class for your extension method:
public static class CustomConfigProviderExtensions { public static IConfigurationBuilder AddEncryptedProvider(this IConfigurationBuilder builder) { return builder.Add(new CustomConfigProvider()); } }And then you can activate it:
// Set up configuration sources. var builder = new ConfigurationBuilder() .AddJsonFile("appsettings.json") .AddEncryptedProvider() .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);
更多推荐
ASP.NET Core中的加密配置
发布评论