Secure programming with the Oracle Database adapter
How Do I Protect Credentials When I Use the Add Adapter Service Reference Visual Studio Plug-in?
When you use the Add Adapter Service Reference Plug-in to create a WCF client, you must supply a user name and password for the Oracle database. You should only do this from the Security tab on the Configure Adapter dialog box. By entering the Oracle credentials from the Security tab instead of directly into the Configure a URI field, you ensure the following:
The credentials will not be displayed in the Uri field of the Add Adapter Service Reference Plug-in dialog box where anyone with access to your computer screen can read them.
The credentials will not appear in the configuration file that the Add Adapter Service Reference Plug-in generates.
For more information about how to generate a WCF client by using the Add Adapter Service Reference Plug-in, including how to enter a user name and password for the Oracle database, see Get metadata for Oracle Database operations in Visual Studio.
What Are Best Practices for Setting Credentials in Code?
WCF provides the ClientCredentials class to help you configure the credentials that a client communication object, such as a ChannelFactory, uses to authenticate itself with a service. By using the ClientCredentials class, you ensure that WCF takes whatever authentication mechanisms are specified in that object’s channel stack and applies them to the exchange between your client and the service.
Because the Oracle Database adapter is hosted in-process with its consuming application, it is not imperative to use the ClientCredentials class to set credentials on the client communication objects that the consuming application uses. It is, however, considered good practice to do so.
The Oracle Database adapter encourages the use of the ClientCredentials class. This property specifies whether the adapter will accept the user name and password for the Oracle database in the connection URI. AcceptCredentialsInUri defaults to false, which means that the adapter will throw an exception if the connection URI contains credentials. You can set AcceptCredentialsInUri to true to supply credentials in the connection URI.
The following example shows how to use the Credentials property to set credentials for the Oracle database on a ChannelFactory.
// Create binding and endpoint
OracleDBBinding binding = new OracleDBBinding();
EndpointAddress endpointAddress = new EndpointAddress("oracleDB://Adapter");
// Create the channel factory
ChannelFactory<IRequestChannel> factory = new ChannelFactory<IRequestChannel>(binding, endpointAddress))
// Set user name and password
factory.Credentials.UserName.UserName = "SCOTT";
factory.Credentials.UserName.Password = "TIGER";
// Open the channel factory
factory.Open();
The following example shows how to use the ClientCredentials class to set credentials for the Oracle database on a WCF client.
// Initialize a new client for the SQLEXECUTE operation from configuration
SQLEXECUTEClient sqlExecuteClient = new SQLEXECUTEClient("OracleDBBinding_SQLEXECUTE");
// Set user name and password
sqlExecuteClient.ClientCredentials.UserName.UserName = "SCOTT";
sqlExecuteClient.ClientCredentials.UserName.Password = "TIGER";
// Open the client
sqlExecuteClient.Open();
How Can I Provide for More Secure Data Exchange Across Process Boundaries?
The Oracle Database adapter is hosted in-process with the application or service that consumes it. Because the adapter is hosted in-process with the consumer, there is no need to provide security on messages exchanged between the consumer and the Oracle Database adapter. However, if the consuming application or service sends messages that contain sensitive database information across a process boundary to another service or client, you should take measures to provide adequate protection for this data in your environment. Windows Communication Foundation (WCF) provides many options for helping to secure messages sent between clients and services. For more information about helping to secure messages sent between clients and services in WCF, see Securing Services and Clients. For more general information about security features that WCF provides, see Windows Communication Foundation Security.