Access data is required to communicate with the Forge platform.
This posting describes how these very important and security-relevant data can be stored.
First of all, it is important to understand that a distinction needs to be made between a client application and a server application.
In the client application, here a Windows or CAD application, only the data provided by the server application is displayed in a dialog. All communications with the Forge Platform are done exclusively in the server application. This approach is very important from a security point of view, as all access data is NOT known to the client application.
The adjacent picture illustrates this procedure
All communications with the Forge Platform will be through a web service established in the company's own network environment.
public static class Credentials { <add key="CP.Forge.ClientID" value="[Your Client ID]"/> <add key="CP.Forge.ClientSecret" value="[Your Client Secret ID]"/> <add key="CP.Forge.CompanyAccountID" value="[Your Company Account ID]"/> <add key="CP.Forge.AppName" value="[Your Applikation Name]"/> <add key="CP.Forge.CallBackUrl" value="[Your Callback URL]"/> }
In a public static class, within the web service application, the data is stored.
This approach is not optimal, if not very safety-critical, because the data was hard-coded and thus visible.
So not recommended.
<appSettings> <add key="CP.Forge.BaseURL" value="https://developer.api.autodesk.com"/> <add key="CP.Forge.Database.ServerName" value="[MS SQL-Server Name]"/> <add key="CP.Forge.Database.DataSource" value="[DataSource Name"/> <add key="CP.Forge.ClientID" value="[Your Client ID]"/> <add key="CP.Forge.ClientSecret" value="[Your Client Secret ID]"/> <add key="CP.Forge.CompanyAccountID" value="[Your Company Account ID]"/> <add key="CP.Forge.AppName" value="[Your Applikation Name]"/> <add key="CP.Forge.CallBackUrl" value="[Your Callback URL]"/> </appSettings>
A secure way to store the access data for your Forge account is to put it in the Web.Config file. This can not be easily read, this requires an administrator access to your website file storage. This is usually password protected.
In your web service application, the following code can be used to read this data.
Still insecure to a degree.
string m_ClientID = System.Configuration.ConfigurationManager.AppSettings["CP.Forge.ClientID"].ToString();
The access data can also be stored in a database table. If the application name is added as a column in this table, it can be filtered in the Web application and different access data can be used for several applications.
Since the access data to the database are also stored in the web.config file, it is possible to read them out to gain access to the database.
The access data can be encrypted using a method provided in .Net. The necessary key is called the webservice by the client. It is stored on the client side.
If the web server is hacked, it will be difficult to crack the credentials without this key.
However, if somebody chats out the key, it will not help either.
In the next posting on Forge Platform I would like to discuss the accesstoken and explain how it can be "saved".
© Copyright 2019 by CAD-Becker.de
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
|
Dipl.-Ing. Jürgen A. Becker Versorgungstechnik |
![]() |
Jürgen A. Becker
CAD-Becker.de
Detmolder Str. 786
33699 Bielefeld
Germany
Telephone
+49 (5202) 9953808
Mobile
+49 170 870 8679
E-Mail
Juergen.Becker(at)CAD-Becker.de