Is it safe to store the credentials in the properties of a Web Part?

Question

In my web part, I use a class WebProxy.

The object of this class uses special credentials. It would be nice to store the credentials in the Web Part properties. And so the user can change them. For example, do it like this: http://rmanimaran.wordpress.com/2011/02/27/sharepoint-webpart-custom-properties-password-field-as-property/

But I doubt whether this is safe? Is it safe to store the credentials in the properties of a Web Part? Or is it better to store them somewhere else?

Answer 1

It is not safe to store credentials, connectionstrings or similar in web parts.

All users with contributor (designer in SP2010) settings and upward can export the web part and fetch the values from the .webpart/.dwp xml.

You can set the web part to not allow export, or not to export sensitive data (sensitive data is set on using the IsSensitive parameter (here set to true): [Personalizable(PersonalizationScope.User, true)]), but I wouldnt trust that with passwords and similar.

In SharePoint 2010 you should use the Secure Store Service (SSS) for these kind of settings (credentials, connectionstrings etc). That provides a user interface for selected users, you can then in your Web Part Property point to the SSS application ID that you want it to use (you could also get fancy and make the property a dropdown of available application ID's).

Create a library class with a GetCredentials method that fetches SecureStoreProvider using SPServiceContext and use the GetCredentials(appId) method to fetch your SecureStoreServiceApplicationCollection.

I did a Google search for blogs, and this one came up. It explains both how to set up SSS and how to use it programmatically.