Secure programming with the SQL adapter

How Do I Protect Credentials When I Use the Add Adapter Service Reference Visual Studio Plug-in?

When you use the Add Adapter Service Reference Plug-in to create a WCF client, you might have to supply a user name and password for the SQL Server database. You must enter credentials from the Security tab on the Configure Adapter dialog box. The SQL adapter does not provide an option to specify the user name and password as part of the connection URI. This ensures the following:

  • The credentials will not be displayed in the Configure a URI field of the Add Adapter Service Reference Plug-in dialog box where anyone with access to your computer screen can read them.

  • The credentials will not appear in the configuration file that the Add Adapter Service Reference Plug-in generates.

    For more information about how to generate a WCF client by using the Add Adapter Service Reference Plug-in, including how to enter a user name and password for the SQL Server database, see Get metadata for SQL Server operations in Visual Studio using the SQL adapter.

What Are Best Practices for Setting Credentials in Code?

WCF provides the ClientCredentials class to help you configure the credentials that a client communication object, such as a ChannelFactory, uses to authenticate itself with a service. By using the ClientCredentials class, you ensure that WCF takes whatever authentication mechanisms are specified in that object’s channel stack and applies them to the exchange between your client and the service.

Because the SQL adapter is hosted in-process with its consuming application, it is not imperative to use the ClientCredentials class to set credentials on the client communication objects that the consuming application uses. It is, however, considered good practice to do so.

The SQL adapter requires the use of the ClientCredentials class for programmatically passing credentials. The AcceptCredentialsInUri binding property is ignored by the SQL adapter to prevent passing credentials in the URI.

The following example shows how to use the Credentials property to set credentials for the SQL Server database on a ChannelFactory.

// Create binding and endpoint  
SqlAdapterBinding binding = new SqlAdapterBinding();  
EndpointAddress address = new EndpointAddress("mssql://mysqlserver//mydatabase?");  
  
// Create the channel factory   
ChannelFactory<IRequestChannel> factory = new ChannelFactory<IRequestChannel>(binding, endpointAddress))  
  
// Set user name and password  
factory.Credentials.UserName.UserName = "myuser";  
factory.Credentials.UserName.Password = "mypassword";  
  
// Open the channel factory  
factory.Open();  

The following example shows how to use the ClientCredentials class to set credentials for the SQL Server database on a WCF client.

// Initialize a new client for the SELECT operation on the Employee table   
SqlAdapterBinding binding = new SqlAdapterBinding();  
EndpointAddress address = new EndpointAddress("mssql://mysqlserver//mydatabase?");  
TableOp_dbo_EmployeeClient client = new TableOp_dbo_EmployeeClient(binding,address);  
  
// Set user name and password  
client.ClientCredentials.UserName.UserName = "myuser";  
client.ClientCredentials.UserName.Password = "mypassword";  
  
// Open the client  
client.Open();  

How Can I Provide for More Secure Data Exchange Across Process Boundaries?

The SQL adapter is hosted in-process with the application or service that consumes it. Because the adapter is hosted in-process with the consumer, there is no need to provide security on messages exchanged between the consumer and the SQL adapter. However, if the consuming application or service sends messages that contain sensitive database information across a process boundary to another service or client, you should take measures to provide adequate protection for this data in your environment. Windows Communication Foundation (WCF) provides many options for helping to secure messages sent between clients and services. For more information about helping to secure messages sent between clients and services in WCF, see Securing Services and Clients. For more general information about security features that WCF provides, see Windows Communication Foundation Security.

See Also

Secure your SQL applications
Best practices to secure the SQL adapter