While, I don't belive that telerik should dictate how I use a control, if you are going to use security as an excuse please do it right..
The use of static secret keys in files or else where is very poor practice and is NOT constant with AWS security services..
YOU NEED TO SUPPORT ALL THREE AWS WAYS TO PASS AWS CREDENTIALS..
PLEASE DO NOT CHNAGE HE AWS SECURITY POLICY!!!
The preferred, and you have not implements is dynamic keys, in your code below..
Add support for AWS dynamic keys see ****
public override void Initialize(string name, NameValueCollection config)
{
if (config == null)
{
throw new ArgumentNullException("No valid configuration is provided.");
}
base.Initialize(name, config);
*** add check for dynamic keys here****
AccessKey = config[CloudUploadConstants.AccessKey];
if (string.IsNullOrEmpty(AccessKey))
{
throw new ProviderException("Missing AccessKey. Please specify it with the accessKey property.");
}
5 Answers, 1 is accepted
I have already replied to your similar post here. We are planning to add support for dynamically keys. However they will not be implemented as a properties. It would be possible to use custom handler where the credentials can be changed dynamically. Additionally it will be possible to inherit the default handler and create own custom provider beyond the defined Amazon, Azure and Everlive.
Regards,
Hristo Valyavicharski
Telerik
Rank 1
You obviously do NOT understadn AWS dynamic kes, your handler will not work..
Please READ the AWS docuementation for credentials and their usage, just implement the three methods..
very simple..
Rank 1
YOU NEED TO SUPPORT ALL THREE AWS WAYS TO PASS AWS CREDENTIALS..
PLEASE DO NOT CHANAGE THE AWS SECURITY POLICY!!!
Rank 1
Having the keys available as properties in the control and supporting dynamic tokens are two separate features.
- about properties that let the developer set keys per controls instance - Our CloudUpload control uses a separate handler to upload files in chunks. This, however, requires that we pass the configuration keys to that handler's URL. Even if they are encrypted there is always a risk that an attacker will be able to break this encryption. We have received a lot of requests to ensure our controls are secure and do not expose private information, which is why we have chosen to keep these keys as private as possible - i.e., available only on the server. We are logging your request to make them available as properties that will travel with the control's configuration to the client side, and you can follow it here. With Q1 2014 we aim to offer the ability to use custom providers that can load their keys as the developer chooses - from a database, from server cache, hardcoded in each provider so different pages can use identical providers with different keys, etc.
- about support for dynamic tokens - the CloudUpload control was just released and offers the basic functionality. The tasks for the Q1 2014 release are already set and this feature will not be available in it. We have logged it for research and implementation (you can follow, vote and comment on it here). The popularity of this feature, with regard to all other requests we have received, will determine its priority and implementation.
Regards,
Marin Bratanov
Telerik