Encrypting web.config sections

**tcrossland** · 10-11-2007, 11:25 AM

Greetings,

There's a nice feature of ASP.NET which allows one to encrypt sensitive sections of web.config files (see here). However, when I try to use this to encrypt the spring/objects section within a web.config, I get the following error:

Code:

> aspnet_regiis -pe "spring/objects" -app "/xx" -prov "DataProtectionConfigurationProvider"
Encrypting configuration section...
An error occurred creating the configuration section handler for spring/objects: Could not load file or assembly 'Spring
.Core' or one of its dependencies. The system cannot find the file specified. (C:\xx\web.config line 10)

Could not load file or assembly 'Spring.Core' or one of its dependencies. The system cannot find the file specified.
Failed!

I suspect that this is due to the fact that the configuration section uses the DefaultSectionHandler in the Spring.Core assembly.

Has anyone had any success on getting this to work?

Many thanks,

Tom

P.S. I've seen there appears to be an open JIRA issue (SPRNET-519) related to this.

**Bruno Baia** · 10-11-2007, 12:34 PM

Hi,

Have you try to use the type of the spring/object section handler with the fully assembly qualified name ?

Exemple with 1.1 RC1 :

Code:

<sectionGroup name="spring">
      <section name="objects" type="Spring.Context.Support.DefaultSectionHandler, Spring.Core, Version=1.1.0.2, Culture=neutral, PublicKeyToken=65e474d141e25e07"/>
</sectionGroup>

Another solution is to use one of the available configurers to move all sensitive information to a NameValueSectionHandler.
See PropertyPlaceholderConfigurer, PropertyOverrideConfigurer or the new VariablePlaceholderConfigurer.

- Bruno

**tcrossland** · 10-11-2007, 12:52 PM

Thanks for your reply Bruno.

It turns out the problem was that the aspnet_regiis.exe process didn't find Spring.Core.dll. I couldn't figure out what path it was using (not PATH or LIBPATH), but by copying Spring.Core.dll to %WinDir%\Microsoft.NET\Framework\v2.0.50727, it worked fine (a bit ugly, I know!).

Code:

C:\...\xx>copy bin\Spring.Core.dll %WinDir%\Microsoft.NET\Framework\v2.0.50727
        1 file(s) copied.

C:\...\xx>aspnet_regiis -pe "spring/objects" -app "/xx" -prov "DataProtectionConfigurationProvider"
Encrypting configuration section...
Succeeded!

C:\...\xx>del %WinDir%\Microsoft.NET\Framework\v2.0.50727\Spring.Core.dll

**Erich Eichinger** · 10-14-2007, 02:18 PM

Hi Tom,

.NET does not use environment variables for resolving assemblies. The mechanism is entirely different from commandline "path" or java's "classpath" and is described on msdn

You should not copy assemblies to %WinDir%\Microsoft.NET\Framework\v2.0.50727

hope this helps,
Erich

**tcrossland** · 10-17-2007, 05:04 PM

Thanks Erich... I learn something new about .NET every day. If I understand correctly then, the full solution should be as follows:

Install Spring.Core assembly in Global Assembly Cache (gacutil /i Spring.Core.dll)
Modify my web.config to use fully qualified assembly name
Encrypt using aspnet_regiis -pe "spring/objects" -app "/xx" -prov "DataProtectionConfigurationProvider"

Many thanks both.

**Erich Eichinger** · 10-17-2007, 05:24 PM

Hi Tom,

that's the way it is intended yes...

But if you want to work with unsigned Spring assemblies, I guess your original approach is the most pragmatic way the achieve this.

Btw: did you try the -pef option to specify the physical path to your webroot?

-Erich

**tcrossland** · 10-17-2007, 07:53 PM

Hi again,

Yes, I originally tried the "-pef" option with the same results.

In any case, I agree that the GAC solution is more elegant, the only drawback being the onus of specifying the fully qualified assembly name.

Best regards,

Tom.

**Erich Eichinger** · 10-18-2007, 04:12 PM

Hi all,

I just updated the jira issue with the possible solutions:

to encrypt a configuration section, aspnet_regiis needs to load/instantiate the section handler. For <spring/objects> this means the assembly Spring.Core must be accessible - either by copying it into the folder containing aspnet.regiis.exe (which works for both signed and unsigned assemblies) or by installing it into the GAC.

1st solution:
install signed Spring.Core.dll into GAC and use signed Spring assemblies in your app

2nd solution:
copy Spring.Core.dll into your Framework directory (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727)

3rd solution:
copy
aspnet_regiis.exe
System.Web.dll
Spring.Core.dll

into a folder of your choice (e.g. C:\myfolder) and execute

C:\myfolder\aspnet_regiis.exe -pef "spring/objects" C:\myphysicalwebroot

cheers,
Erich

Thread: Encrypting web.config sections

Thread Tools

Display

Encrypting web.config sections

Posting Permissions