web.config written on: nov, 16th 2001.
application("dsn") = "server=moon; driver=sql server; database=store; uid=user; pwd=bingo;"
above declaration in the global.asa file might be familiar to almost all asp programmers.
while going through the msdn, i was overwhelmed, by looking into the web.config file which handles all configuration for an application. the replacement for the above declaration in asp .net is as follows:
<configuration>
<appsettings>
<add key="dsn" value="server=moon;database=store;trusted_connection=yes" />
</appsettings>
</configuration>
then, in your aspx page, you should have the following statement to retrieve the value for dsn.
dim dsn as string = configurationsettings.appsettings("dsn")
so, i started to ask the following questions to myself.
what exactly is web.config?
does this handles only the above example?
what are the benefits of web.config?
and, following were the results for my questions, and i would like to share with you all. this is based on beta2
introduction
well, web.config is a xml-based configuration file. if you see the above example, you can make sure that all the elements are based on xml standards. obviously, we can develop a tool for modifying and editing this configuration file.
a web.config can appear in any directory on an asp.net web application server. said this, if you have a web.config file in the directory "c:/inetpub/wwwroot", then the settings specified in the web.config is applicable to all the subdirectories under wwwroot. each sub-directory can have its own web.config file and it will overwrite the settings of the web.config file in the parent directory.
there is another file called machine.config, which provides configuration settings for the entire server. if you change the contents of any web.config file then the change will be immediately reflected in the processing of any incoming requests to the web' server. these settings are calculated only once and then cached across subsequent requests. asp.net automatically watches for file changes and will invalidate the cache if any of the configuration files change. (for more information on caching click here)
the root element of a web.config file is always a <configuration> tag. the <configuration> tag contains three different types of elements: 1) configuration section handler declarations, 2) configuration section groups, and 3) configuration section settings.
following are the list of commonly used configuation tags, that, we be used in our web applications and will go thru them
1) appsettings
2) authentication
3) authorization
4) compilation
5) customerrors
6) globalization
7) identity
8) machinekey
9) pages
10) processmodel
11) sessionstate
12) trace
<appsettings>
this can be declared at the machine, site, application and subdirectory level include all the custom settings for your application in this section. appsettings tag contains two attributes viz; key and value.
<add key="key" value="value"/>
eg: <add key="dsn" value="server=moon;database=store;trusted_connection=yes" />
<authentication>
all the authentication/security related stuff are declared in this section. authentication section contains a single attribute called "mode". possible values for "mode" are (a) forms (b) none (c) passport and (d) windows
form based authentication can be used, if you want to use asp .net forms-based authentication.
if you want to allow anyonmyous users to access your website, select none.
passpost authentication can be used, if you want the authentication to be based on microsoft passport authentication mode.
use windows mode authentication, if you want to use basic, digest, integrated windows authentication (ntlm/kerberos), or certificates
note: if you are using form based authentication, then you have several other options such as how the password should be encrypted, while submitting the form, if login fails, which page should be shown to the user etc.
as the authentication is included in, system.web.configuration.authenticationconfighandler while setting the authentication mode, you should code as follows
eg:
<configuration>
<system.web>
<authentication mode="none" />
</system.web>
</configuration>
<authorization>
this is a very powerful tag, were you can restrict or allow users who wish to visit your web site. authorization tag contains two sub tags such as allow and deny.
allow tag provides us with three attributes, namely users, roles and verbs. we can add the list of users seperated by comma in the users attribute. also we can specify the role in which each user belongs too. important aspect of the attribute verb is that, we can control users depending upon the web request that the server is getting. the verb attribute provides us with four options get, head, post and debug.
deny tag has the same attributes as the allow tag has. other aspect of both these tags are, we can use two special symbols ? and * to specify anonymous users and "all users" respectively.
eg:
<configuration>
<system.web>
<authorization>
<allow roles="admins" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
<compilation>
it is in this tag, you set all your compilcation options. this tag contains three sub-tags and seven attributes, which are discussed below.
attributes
debug specifies whether to compile retail binaries or debug binaries. true specifies debug binaries and false specifies retail binaries
defaultlanguage can be used to specify the language names to use in dynamic compilation files.
use explicit attribute to turn on explicit option or to turn off. this takes either true or false, were true means explicit is enabled.
we can also do a batch compiliation by specifying the attribute bath as true. if we have batch compiliation, then we might face the timeout problem. then we may also want to use the batchtimeout attribute to set the time for batch timeout.
numrecompilesbeforeapprestart is the next attribute. this attribute indicates the number of dynamic recompiles of resources that can occur before the application restarts. this attribute is supported at the global and application level but not at the directory level.
strict attribute indicates the settings of the visual basic strict compile option. supports two values, true and false.
subtags
compilers tag contains many or one compiler tag, were we define new compiler options. assemblies and namespaces specifies asp .net processing directives
eg:
<configuration>
<system.web>
<compilation defaultlanguage="vb" debug="true">
<compilers>
<compiler language="vb;vbscript" extension=".cls" type="microsoft.vb. vbcodeprovider,system" />
<compiler language="c#;csharp" extension=".cs" type="microsoft.csharp. csharpcodeprovider,system" />
</compilers>
<assemblies>
<add assembly="adodb" />
<add assembly="*" />
</assemblies>
<namespaces>
<add namespace="system.web" />
<add namespace="system.web.ui" />
<add namespace="system.web.ui.webcontrols" />
<add namespace="system.web.ui.htmlcontrols" />
</namespaces>
</compilation>
</system.web>
</configuration>
<customerrors>
as the name says all about, customerros provides information about custom error messages for an asp.net application. customerrors tag provides us with three attributes.
defaultredirect can be used to specify the url to direct a browser, if any unexpected error occurs. the mode attribute takes three values on, off or remoteonly. remeteonly specifies that custom errors are shown only to remote clients.
the subtag <error> might be very useful in a variety of way. we can specify the error status code and ask the browser to redirect to a specific page. we should use the attribute, statuscode to specify the error status code and the redirect attribute to specify the redirect url.
eg:
<configuration>
<system.web>
<customerrors defaultredirect="error.aspx" mode="remoteonly">
<error statuscode="500" redirect="internalerror.htm"/>
</customerrors>
</system.web>
</configuration>
<globalization>
configures the globalization settings of an application. two important attributes of this tag are requestencoding and responseencoding. default values for both encoding are "iso-8859-1", which is english.
eg:
<configuration>
<system.web>
<globalization requestencoding="iso-8859-1" responseencoding="iso-8859-1">
<globalization/>
</system.web>
</configuration>
<identity>
controls the application identity of the web application. supports three attributes. impersonate is the first attribute, which specifies whether client impersonation is used on each request to the web server. takes either true or false. if the impersonation is false, then we should specify the values for the attributes, username and password.
eg:
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
</configuration>
<machinekey>
configures keys to use for encryption and decryption of forms authentication cookie data. this section can be declared at the machine, site, and application levels but not at the subdirectory level. this tag supports three attributes; validationkey, decryptionkey and validation.
validationkey and decryptionkey takes the default value, which is autogenerate. we can also specify a key and it should be length of 128 hexadecimal characters. the validation attribute can be used to specify the alogrithm to be used while encryption. possible values are sha1, md5 and 3des.
<pages>
as the name indicates, we should use this tag to specify the page-specific configuration settings. it supports six attributes. we will dicsuss each one of them.
buffer attribute specifies, whether resources are buffered or not. this takes three values on, off and readonly.
we can enable the session state or disable the session by using the attribute, enablesessionstate. this takes two values, either true or false.
pagebasetype can be used to specify code-behind class that an .aspx page inherits. usercontrolbasetype specifies a code behind class that usercontrols inherit.
if you want to disable any event firing in the page, you can use the attribute autoeventwireup. this too takes either true or false.
eg:
<configuration>
<system.web>
<pages buffer="true" enablesessionstate="true" autoeventwireup="true">
</pages>
</system.web>
</configuration>
<processmodel>
this section is mainly for the web administrators. we should use this tag responsibly. we can use use tag to specify the timeout for when a new worker process should start in place of current one, the idletimeout which specifies the minutes that asp .net automatically shuts down the worker process. one of the important attribute of this tag is requestqueuelimit, were you can specify the number of requests allowed in the queue before asp .net begins returning "503" (server too busy error). default is 5000.
eg:
<configuration>
<system.web>
<processmodel enable="true" timeout="10" idletimeout="20" requestqueuelimit="100">
</processmodel>
</system.web>
</configuration>
<sessionstate>
this tag can be used to specify, were we are storing the session. this can be specified in the mode attribute. supported values mode are off, inproc, stateserver and sqlserver. inproc indicates that, session states is stored locally. stateserver indicates that session state is stored on a remote server and sqlserver can be used to indicate that the session state is stored on a sql server.
we also have the choice to use cookies to store the sessions. this can be set using the attribute cookieless. session timeout can be specified using the attribute called timeout. by default, the session timeout is 20 minutes (same as classic asp).
eg:
<configuration>
<system.web>
<sessionstate mode="inproc" cookieless="true" timeout="20">
</sessionstate>
</system.web>
</configuration>
<trace>
this is a very useful tag to debug our programs. we can use the trace tag to show all the information for the page processed by the server. by default, all the traces are stored on the server. we can specify the number of traces stored in the memory by using the attribute called requestlimit. default is 10. we can either append the trace to the page or can be viewed using the trace utility. this is specified by the attribute called pageoutput.
eg:
<configuration>
<system.web>
<trace enabled="false" requestlimit="15" pageoutput="true">
</trace>
<system.web>
</configuration>
there are some more tags available which can be used in the web.config file. those are <httphandlers>, <httpmodules>, <httpruntime>, <securitypolicy>, <webservices>, <trust> and <browsercaps>. you may want to look into these.
summary
that was a small introduction for web.config file. and to end with, i have two tips for you.
suppose, if we are creating a new folder and if we want to override the configuration settings of the parent folder, what we have to do is just create another web.config file in the sub-directory. if we need to prevent the overriding of the new web.config file in the subdirectory, then we can add the attribute allowoverride in the location tag. also, we can specify the application name in the attribute path.
<configuration>
<location path="app1" allowoverride="false">
<system.web>
<identity impersonate="false" username="app1" password="app1pw" />
</system.web>
</location>
</configuration>
what if some one types the web.config file in the url?
asp.net configures iis to prevent direct browser access to web.config files to ensure that their values cannot become public (attempts to access them will cause asp.net to return 403: access forbidden).
external links
http://www.123aspx.com/directory.aspx?dir=85
http://msdn.microsoft.com/library/en-us/cpguidnf/html/cpconcreatingnewsectionhandlers.asp