Encrypt or decrypt sensitive data in Web.config

It is a very common practice to encrypt sensitive data in configuration files. This can be either database connection strings, public key, private key or credentials that need to be kept secure. As this secure data cannot be hard-coded into the application code, so it is stored in configuration files to facilitate modifying them at frequent intervals.

Configuration files used by ASP.NET applications are named as Web.config whereas Windows applications have App.config file. Though there are several symmetric and asymmetric algorithms available in the market, the .Net framework provides an out-of-the-box feature to encrypt and decrypt configuration file or its section.

Let's consider an appSettings section of App.config that needs to be encrypted:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <startup> 
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />
  </startup>
  <appSettings>
    <add key="DbPassword" value="Test12345" />
  </appSettings>
</configuration>

Below code snippet does the encrypt to Cipher text using DataProtectionConfigurationProvider:
private void btnEncrypt_Click(object sender, RoutedEventArgs e)
{
  Configuration config = ConfigurationManager.OpenExeConfiguration(
                System.Reflection.Assembly.GetExecutingAssembly().Location);
  ConfigurationSection section = config.GetSection("appSettings");
  if (!section.SectionInformation.IsProtected)
  {
    section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
    config.Save();
  }
  MessageBox.Show(ConfigurationManager.AppSettings["DbPassword"]);
}

Once encrypted, the content of appSettings will not be readable to the user. However .Net code will still be able to read it in its original form. Below is an example of the encrypted appSetting section:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />
    </startup>
    <appSettings configProtectionProvider="DataProtectionConfigurationProvider">
        <EncryptedData>
            <CipherData>
                <CipherValue>AXAAANMCdndereAwedwDC/C1................................</CipherValue>
            </CipherData>
        </EncryptedData>
    </appSettings>
</configuration>

As and when required the encrypted section can be easily decrypted into its original form. This can be achieved by the below piece of code:
private void btnDecrypt_Click(object sender, RoutedEventArgs e)
{
  Configuration config = ConfigurationManager.OpenExeConfiguration(
                System.Reflection.Assembly.GetExecutingAssembly().Location);
  ConfigurationSection section = config.GetSection("appSettings");
  if (section.SectionInformation.IsProtected)
  {
    section.SectionInformation.UnprotectSection();
    config.Save();
  }
  MessageBox.Show(ConfigurationManager.AppSettings["DbPassword"]);
}

Advanced interview questions on .Net

This article lists the set of interview questions along with a short explanation. These questions are applicable to senior developers as they are based on advanced .Net concepts.

Q) What is Dependency Injection?
When a classA uses methods of classB then it means classA has a dependency of classB. To access methods of classB, the classA need to create an object of classB. Transferring the task of creating an object to someone else and directly using the dependency is called dependency injection.
So it is the dependency injection's responsibility to:
- Create the objects
- Know which class requires those objects
- And provide them with all those objects

Three types of dependency injection are:
- constructor injection
- setter injection
- interface injection

Benefits of dependency injection are:
- Helps in unit testing
- Extending the application becomes easier
- Helps to enable loose coupling

Unity and Castle Windsor frameworks facilitate in implementing dependency injection in .Net applications.

Q) What is IoC?
Inversion of Control (IOC) states that a class should not hardcode dependencies of another class but should be configured by some other class from outside.

It is the fifth S.O.L.I.D. principle according to which a class should concentrate on fulfilling its responsibilities and not on creating objects that it requires to fulfil those responsibilities. Dependency injection comes into play where it provides the class with the required objects.

Q) What is Message-driven architecture?
Message Driven Architecture (MDA) is composed of autonomous systems that communicate with each other via messages. It is very common in a distributed application where each component sits on a different server but they need to work together.

Consider there are three systems: Sales, Accounting and Inventory which are decoupled and hosted on different servers though they need to communicate with each other. This can be achieved by a transporter called ServiceBus having sole responsibility to deliver messages to the destination. Hence the sender and receiver don't know about each other, then only know about ServiceBus.

ServiceBus in an MDA architecture works like this:
- Source application sends a message to ServiceBus.
- ServiceBus delivers the message to the destination application.
- Destination application receives and handles the message.

Examples of ServiceBus are ESB, MuleSoft and Azure Service Bus. Messages handled by Azure Service Bus are stored in Azure Queue Storage and delivered asynchronously to the target system.

Q) What is CORS and its use?
Cross-Origin Resource Sharing (CORS) is a mechanism that enables access to resources located outside of its domain. An example of a cross-origin request is: JavaScript in a webpage located on http://siteA.com uses XMLHttpRequest to make a request to JSON resource from http://siteB.com/sample.json

It is the default behaviour of browsers to restrict the cross-origin requests initiated from front-end scripts. For example, XMLHttpRequest follows the same-origin policy by default. Hence any request from a webpage of one origin can only load resources of the same-origin unless the resources from other origin include the right CORS headers. It means the additional HTTP headers must be passed to the response from siteB:

<customHeaders>
  <add name="Access-Control-Allow-Origin" value="http://siteA.com" />
  <add name="Access-Control-Allow-Headers" value="Content-Type" />
  <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>


Q) What is the use of Entity Framework?
It is an Object Relational Mapping (ORM) that enables developers to work with a database using .Net objects. It eliminates the developers to write a data-access code. It can be implemented with either Code-First or Database-First approach which creates a DbContext file to establish a connection to the database, query the database and close the connection.

Q) Which testing framework is better to use for .Net applications?
Microsoft provides an MSTest framework for unit testing that now ships with Visual Studio out-of-the-box. The tags [TestClass] and [TestMethod] specified on top of the class or method definition indicate them as test objects. The dedicated UI panel to view the tests can be navigated from Test --> Windows --> Test Explorer.

Test Analyze


Running the tests from Visual Studio is also straight forward - just right click on any [TestMethod] and select Run Tests.

Run Test


Other useful tags are [TestInitialize] and [TestCleanup] that allows us to specify the code that is run before (initialize) and after (cleanup) any individual test is run.

NUnit framework is also widely used testing framework. It also uses a very similar style just like  Visual Studio's testing framework, but it refers to [TestClass] as a [TestFixture] and [TestMethod] as a [Test].

Various Assert statement are required to compare the expected outcome with the actual outcome:
- Assert.IsTrue(x)
- Assert.IsFalse(x)
- Assert.AreEqual(x, y)
- Assert.IsNull(x)
- Assert.IsNotNull(x)

A mocking framework like NSubstitute is also very useful while writing unit tests. It is used to mock any object by using its interface and return mocked object having specified test data. Below code snippet represents mocking of the object in the test method:

using Microsoft.VisualStudio.TestTools.UnitTesting;
using NSubstitute;

[TestClass]
[ExcludeFromCodeCoverage]
public class EmployeeControllerTest
{
    private EmployeeController _controller;
    private EmployeeTestData _testData;
    private IEmployeeLogic _searchEmployeeLogic;

    [TestInitialize]
    public void Setup()
    {
        _searchEmployeeLogic = Substitute.For<IEmployeeLogic>();
        _controller = new EmployeeController(_searchEmployeeLogic);
    }

    [TestMethod]
    public void Should_Redirect_To_Details_View()
    {
        _searchEmployeeLogic.GetSearchEmployeeDetails(Arg.Any<GetSearchEmployeesRequest())
                .Returns(value => _testData.GetSearchEmployeesResponse());
        var actionResult = _controller.GroupSearch(_testData.GroupSearchEmployee)) as RedirectToRouteResult;
        Assert.IsNotNull(actionResult);
    }
}

Q) What is serialization?
Serialization is the process of converting an object into an array of bytes.
Serialization
It is used to transmit the object to a remote application through a firewall as a JSON or XML string. The serialized object can be stored in a database, memory or file.

Q) What types of HTTP methods are available for Web API?
Web API supports four types of HTTP methods. They are assigned to web methods in the form of [HttpGet], [HttpPost], [HttpPut] or [HttpDelete] attributes.

Q) How can you implement Windows authentication to AngularJS or ReactJS app using Web API?
Windows authentication allows the user to bypass the authentication popup by using credentials stored in the Integrated Windows Authentication cookie. This can be implemented by following below steps:

  1. Create a new IIS Website
  2. Create IIS Application under this website
  3. Set the path of AngularJS or ReactJS app in the virtual directory folder
  4. Set authentication mode as Windows in both IIS Website and IIS Application
  5. Add an attribute [Authorize] on the Web API class


Q) How can you write an asynchronous program?


Q) How can you configure the response for env.IsDevelopment() method?
The value of env.IsDevelopment() method is determined from ASPNET_ENV environment variable. If its value is set as "Development" then env.IsDevelopment() returns True otherwise False.
.Net Core fetches this value out-of-the-box from environment variable using Microsoft.AspNet.Hosting.HostingEnvironmentExtensions.cs file. This environment variable can also be modified from Debug tab of project properties:

The ASPNETCORE_ENVIRONMENT value overrides DOTNET_ENVIRONMENT value. IHostEnvironment.EnvironmentName can be set to any value, but the following values are provided by the framework: 
  • Development : The launchSettings.json file sets ASPNETCORE_ENVIRONMENT to Development on the local machine. 
  • Staging 
  • Production : The default if DOTNET_ENVIRONMENT and ASPNETCORE_ENVIRONMENT have not been set.

Q) Difference between #if DEBUG and if(env.IsDevelopment())
Q) How can you call base class contructor from derived class in C#?
This can be achieved by add ": base(<parameter>)" in the constructor of derived class. This will force the parameterized base class contructor to call first.

Q) How can you prevent a base constructor from being called by derived class in C#?
If you do not explicitly call any constructor in the base class, the parameterless constructor will be called implicitly. There's no way around it, you cannot instantiate a class without a constructor being called.
Constructors are public by nature. Do not use a constructor and use another function for construction and make it private, so you that you can create an instance with no paramters and call that function for constructing your object instance.

Q) How can you use a one Windows Service to trigger different tasks on different schedule?
Windows Service runs in background as a listener on the specified port/path and triggers if any request is arrived. We can use REST API as a trigger Windows Service. Hence, different REST APIs within a same Windows Service can be used to run different tasks on different threads using System.Threading.Task library. However, to trigger different tasks on different schedule, it is ideal to create a Console app with below features:
  • Create a Console app that use command-line parameters
  • Run a specific task based on the command-line parameter
  • Create multiple Windows Task Schedulers to run same Console app with different set of input parameters. Quartz can also be used as scheduling tool in C#.

Q) Can we use "this" keyword in a static method?
In a static method, we can access only static properties and static methods. So, we cannot use "this" keyword within a static method because "this" keyword refers to the current instance of the class. However, we can use Extension method in a static class to use "this" keyword.