| <configuration> | |
<configuration> </configuration> |
|
|
The root element for all configuration files; it is required. |
|
| Scope | |
All |
|
| Attributes | |
None |
|
| <configuration> | |
<configuration> </configuration> |
|
|
The root element for all configuration files; it is required. |
|
| Scope | |
All |
|
| Attributes | |
None |
|
| <appSettings> | |
<appSettings> </appSettings> |
|
|
The <appSettings> element can be used to configure custom application settings as key/value pairs. These settings can later be retrieved at runtime using the AppSettings property of the ConfigurationSettings class, as shown in the example. This property is shared (static) and does not require the ConfigurationSettings class to be instantiated before accessing the property. |
|
| Scope | |
Any |
|
| Attributes | |
None |
|
Child
Elements
|
|
| Example | |
The following web.config section sets an application level key/value pair: <configuration> <appSettings> <add key="applicationConfigKey" value="bar"/> </appSettings> </configuration> |
|
The following ASP.NET page retrieves the value set by the preceding code and also retrieves a value set at the machine.config level:
<%@ Page Language="VB" %>
<html>
<head>
<script runat="server">
Sub Page_Load( )
Message1.Text &= _
ConfigurationSettings.AppSettings("machineConfigKey")
Message2.Text &= _
ConfigurationSettings.AppSettings("applicationConfigKey")
End Sub
</script>
</head>
<body>
<asp:label id="Message1" runat="server">
Machine.Config setting:
</asp:label><br/>
<asp:label id="Message2" runat="server">
Web.Config setting:
</asp:label>
</body>
</html> |
|
| Notes | |
As shown in the example, the <appSettings> element can be used separately from the <system.web> element and its children. |
|
For security reasons, use caution when deciding what kinds of data to store using the <appSettings> element. Remember that while the ASP.NET runtime is set up to prevent an application's web.config file from being requested or read, this file could still be vulnerable if the security of the web server were breached in some other way. Thus, you should generally avoid storing sensitive information such as usernames and passwords, or connection strings containing usernames and passwords, in the web.config file. A better, although still moderately vulnerable, alternative is to store this information at the machine.config level, since this file is not within the web space of the application and is not as vulnerable to compromise through attacks on IIS. However, remember that this information will be available to any application on the machine. |
|
| <system.web> | |
<system.web> </system.web> |
|
|
Container element for all elements used in web.config files. |
|
| Scope | |
All |
|
| Attributes | |
None |
|
| Child Elements | |
<authentication>, <authorization>, <browserCaps>, <clientTarget>, <compilation>, <customErrors>, <globalization>, <httpHandlers>, <httpModules>, <httpRuntime>, <identity>, <iisFilter>, <machineKey>, <pages>, <processModel>, <securityPolicy>, <sessionState>, <trace>, <trust>, <webServices> |
|
| Notes | |
This element is required in order to use any of its child elements. |
|
| <authentication> | |
<authentication> </authentication> |
|
|
Provides attributes and contains child elements used to configure authentication options in ASP.NET. |
|
| Scope | |
Machine, Application |
|
Attributes
|
|
| Child Elements | |
<forms>, <passport> |
|
| Example | |
The example configures the pages within the scope of the configuration file to use ASP.NET forms-based authentication: <configuration> <system.web> <authentication mode="Forms"> <forms name="myAuthCookie" loginUrl="login.aspx" protection="All" timeout="30"path="/" /> </authentication> </system.web> </configuration> |
|
| Notes | |
The <location> element can be used to configure authentication at the machine level, if desired, and its allowOverride attribute can be used to prevent overriding these settings in individual applications. |
|
Authentication can be a fairly involved topic. For more information on the various ASP.NET authentication methods and how they relate to IIS authentication, please see Chapter 9. |
|
| <forms> | |
<forms loginUrl=String name=String path=String protection="All|None|Encryption|Validation" timeout=Integer> </forms> |
|
|
Provides attributes and one child element (<credentials>) to configure ASP.NET to use forms-based authentication. |
|
| Scope | |
Machine, Application |
|
Attributes
|
|
| Child Elements | |
<credentials> |
|
| Example | |
See the example for the <authentication> element. |
|
| Notes | |
Forms-based authentication is only effective when used in conjunction with the <authorization> element to deny anonymous users access to pages within the application. |
|
It's a good idea to use SSL encryption to protect the forms authentication credentials and cookie to prevent the possibility of these credentials being hijacked. If you can't (or don't want to) use SSL, you should at least reduce the default timeout value to lessen the likelihood of someone capturing and impersonating the authentication cookie. |
|
| <credentials> | |
<credentials passwordFormat="Clear|SHA1|MD5"> </credentials> |
|
|
Allows you to store one or more sets of credentials in the application (or machine) configuration file for later use in authenticating requests. The child <user> element is used to store the actual credentials. |
|
| Scope | |
Machine, Application |
|
Attributes
|
|
| Child Elements | |
<user> |
|
| Example | |
The example shows the <credentials> element, which is used to store two user accounts to authenticate against: <credentials passwordFormat = "SHA1"> <user name="foo" password="794ED3D18464BAFF93F8DED1CFD00D9A2D9FE316"/> <user name="bar" password="B7CDD2A2B0F05E6948E5CEED22FA9A38EB28DEC8"/> </credentials> |
|
| Notes | |
Once you've stored the credentials, you can authenticate against them by calling the static (shared) Authenticate method of the FormsAuthentication helper class. You can use the static (shared) HashPasswordForStoringInConfigFile method of FormsAuthentication to create an MD5 or SHA1 hash of the password for storing in the <user> element. When using the <credentials> element to store credentials, you should always hash passwords, since storing them in readable text presents a potential security risk. Although theoretically, no one should be able to read the configuration file, a server misconfiguration or security vulnerability could conceivably expose this file. |
|
| <user> | |
<user> |
|
|
Store the username and password for each user defined in the <credentials> element. |
|
| Scope | |
Machine, Application |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
See the example for the <credentials> element. |
|
| Notes | |
You should always use the HashPasswordForStoringInConfigFile method to hash passwords stored in the password attribute. A utility page that creates SHA1 or MD5 hashes of plain text passwords is provided in the examples for Chapter 9. |
|
| <passport> | |
<passport redirectUrl=Url /> |
|
|
This optional element configures an internal URL to which unauthenticated requests will be redirected when using Microsoft's Passport authentication provider. This element should be used only when the <authentication> element's mode attribute is set to Passport. |
|
| Scope | |
Machine, Application |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
This example shows a web.config file that configures an application for Passport authentication: <configuration> <system.web> <authentication mode="Passport"> <passport redirectUrl="Login.aspx"/> </authentication> </system.web> </configuration> |
|
| Notes | |
For more information on configuring Passport authentication, see the Passport SDK documentation, which is available from http://www.passport.com. |
|
| <authorization> | |
|
Provides two child elements, <allow> and <deny>, that allow you to configure the users, roles, or HTTP verbs that can be used to access application resources. |
|
| Scope | |
Any |
|
| Attributes | |
None |
|
| Child Elements | |
<allow>, <deny> |
|
| Example | |
The example allows users Mary and John to access application resources using any HTTP verb, while denying POST access to nonauthenticated users: <configuration> <system.web> <authorization> <allow users="Mary, John" /> <deny users="?" verbs="POST" /> </authorization> </system.web> </configuration> |
|
| Notes | |
The type of authorization implemented by the <authorization> element is referred to as URL authorization. You can read more about URL authorization in Chapter 9. |
|
You can specify authorization settings for a specific file or directory in your application that differs from the defaults configured in the root web.config file for the application in either of two ways:
<configuration> <location path="files"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> <system.web> <!--other configuration settings --> </system.web> </configuration> |
|
| <allow> | |
|
Specifies users, roles, and/or HTTP verbs to be authorized for the application. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
See the example for the <authorization> element. |
|
| Notes | |
You can use two wildcards to specify special groups of users:
|
|
| <deny> | |
|
Specifies users, roles, and/or HTTP verbs to be denied authorization for the application. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
See the example for the <authorization> element. |
|
| Notes | |
The same wildcards used by the <allow> element also apply to the deny element. To deny access to anonymous (non-authenticated) users, set the value of the users attribute of the <deny> element to ?. |
|
| <browserCaps> | |
<browserCaps> <result type=className /> <use var=serverVarName /> property1=value property2=value propertyN=value <filter match=string> property1=value property2=value propertyN=value </filter> <filter match=string> <filter match=string with=expressionToSearch> property1=value property2=value propertyN=value </filter> </filter> <filter> <case match=string> property1=value property2=value propertyN=value </case> <case match=string> property1=value property2=value propertyN=value </case> </filter> </browserCaps> |
|
|
Controls the configuration of the browser capabilities component returned by the Response.Browser property. The property/value pairs under the <use> element configure the default values of the browser capabilities component properties; the property/value pairs in the <filter> elements update these properties based on a match between the string value specified for the match attribute of the <case> element and the value of the var attribute of the <use> element (which is typically set to HTTP_USER_AGENT). |
|
| Scope | |
Any |
|
| Attributes | |
None |
|
| Child Elements | |
<result>, <use>, <filter> |
|
| Example | |
The machine.config configuration file contains the default settings for the <browserCaps> element. The default settings provide the best example for modifying or updating this element. |
|
| Notes | |
The primary purpose of this configuration element and its children is to allow the addition of new browser types and updating the capabilities of these browsers. Thus, when a page calls the browser capabilities component, it will receive accurate information about the capabilities of the browser used for the current request. |
|
| <result> | |
<result type=className /> |
|
|
Specifies the class. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Notes | |
The default type of System.Web.HttpBrowserCapabilities is fine in most cases. If you want to add additional properties beyond those defined by the HttpBrowserCapabilities class, you can create your own class (derived from HttpCapabilitiesBase or HttpBrowserCapabilities) and use the <result> element to substitute it. |
|
| <use> | |
<use var=serverVariableName as=aliasName /> |
|
|
Sets the name of the server variable to use when evaluating browser capabilities. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Notes | |
The <use> element is followed by property/value pairs that specify the default properties for the browser capabilities component if no match is found with a <filter> element's match attribute (or that of its child <case> element). This usage is demonstrated in the entry for the <browserCaps> element. |
|
| <filter> | |
<filter match=string> property1=value property2=value propertyN=value </filter> < filter match=string> <filter match=string with=expressionToSearch> property1=value property2=value propertyN=value </filter> </filter> < filter> <case match=string> property1=value property2=value propertyN=value </case> <case match=string> property1=value property2=value propertyN=value </case> </filter> |
|
| Specifies a regular expression pattern to search for in the server variable given in the <use> element (or optionally, another expression). Multiple <filter> elements can be contained in the <browserCaps> element; likewise, each <filter> element can contain <case> elements or other <filter> elements. All property assignments for matching <filter> elements will be executed, regardless of their order. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
<case> |
|
| Notes | |
The fact that <filter> elements can be nested makes them very flexible in terms of locating subsets of information. For example, the default <browserCaps> element in machine.config uses nested <filter> elements to locate both the major and minor browser versions contained in the HTTP_USER_AGENT server variable so that it can assign specific properties that vary among minor versions (i.e., the x in 4.x) of a browser. |
|
| <case> | |
<case match=string> property1=value property2=value propertyN=value </case> |
|
|
Specifies one of a group of exclusive matching cases for which property assignments will be executed. Only the first matching <case> element within a given <filter> element will be executed. The rest will be ignored. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Notes | |
This element is useful in situations when you only want a single match. For example, the default <browserCaps> configuration in machine.config uses the <case> element to assign the platform, win16, and win32 attributes. |
|
| <clientTarget> | |
<clientTarget> <add alias=aliasName userAgent=userAgentString /> <remove alias=aliasName /> <clear /> </clientTarget> |
|
|
Assigns aliases for specified browser user agent strings to be used by ASP.NET Server Controls in deciding what type of content to render. |
|
| Scope | |
Any |
|
| Attributes | |
None |
|
Child
Elements
|
|
| Example | |
This example comes from the default <clientTarget> element: <clientTarget> <add alias="ie5" userAgent="Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)" /> <add alias="ie4" userAgent="Mozilla/4.0 (compatible; MSIE 4.0; Windows NT 4.0)" /> <add alias="uplevel" userAgent="Mozilla/4.0 (compatible; MSIE 4.0; Windows NT 4.0)" /> <add alias="downlevel" userAgent="Unknown" /> </clientTarget> |
|
| Notes | |
This element is used primarily by the built-in ASP.NET Server Controls. Thus, you should avoid making changes to the existing aliases to avoid preventing these controls from rendering uplevel content. |
|
| <compilation> | |
<compilation batch=boolean batchTimeout=numSeconds debug=boolean defaultLanguage=languageAlias explicit=boolean maxBatchSize=maxPages maxBatchGeneratedFileSize=maxSize numRecompilesBeforeAppRestart=numRecompiles strict=boolean tempDirectory=dirName > <compilers> <compiler language=languageAlias extension=fileExt type=typeName warningLevel=number compilerOptions=optionString /> </compilers> <assemblies> <add assembly=assemblyName /> <remove assembly=assemblyName /> <clear /> </assemblies> </compilation> |
|
|
Provides attributes and child elements for configuring the compilation options of ASP.NET applications. All attributes are optional. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
<assemblies>, <compilers> |
|
| Example | |
The example enables the Visual Basic .NET OptionStrict compiler option and disables batch compilation: <configuration> <system.web> <compilation batch="false" strict="true"> </compilation> </system.web> </configuration> |
|
| Notes | |
Make sure you understand the impact of changes to this element before making modifications. For example, setting the debug attribute to True will have a significant negative impact on performance. While setting the strict attribute to True will reduce the likelihood of bugs from implicit data type conversion, it could also increase the number of compiler errors you get while developing your code. |
|
| <assemblies> | |
<assemblies> <add assembly=assemblyInfo /> <remove assembly=assemblyInfo /> <clear /> </assemblies> |
|
|
Adds or removes assemblies to be referenced and linked during dynamic compilation of ASP.NET pages. By default, the mscorlib, System, System.Drawing, System.EnterpriseServices, System.Web, System.Data, System.Web.Services, and System.Xml assemblies are referenced during dynamic compilation, as are any assemblies located in the application directory's bin subdirectory. |
|
| Scope | |
Any |
|
| Attributes | |
None |
|
Child
Elements
|
|
| Example | |
This example shows the <add> element used by the Mobile Internet Toolkit to add the assembly System.Web.Mobile to the list of assemblies for dynamic compilation: <assemblies> <add assembly="System.Web.Mobile,Version=1.0.3300.0,Culture= _ neutral PublicKeyToken=b03f5f7f11d50a3a" /> </assemblies> |
|
| Notes | |
The asterisk (*) wildcard is used with the <add> element to indicate that all assemblies in the application's private assembly cache (by default, the bin subdirectory of the application) should be added to the list of assemblies linked during dynamic compilation. This ensures that all members of these assemblies will be available to all the pages in your application automatically. |
|
| <compilers> | |
<compilers> <compiler language=languageAlias extension=fileExt type=typeName warningLevel=number compilerOptions=optionString /> </compilers> |
|
|
Contains one or more <compiler> elements, each of which defines configuration options for a particular compiler to be used with ASP.NET. |
|
| Scope | |
Any |
|
| Attributes | |
None |
|
| Child Elements | |
<compiler> |
|
| Notes | |
Thanks to the <compilers> and <compiler> elements, adding support for a new .NET language in ASP.NET is as simple as adding a new <compiler> element specifying the language aliases, the file extension for class files for the language, and the type information for the language compiler. |
|
| <compiler> | |
<compiler language=languageAlias extension=fileExt type=typeName warningLevel=number compilerOptions=optionString /> |
|
|
Specifies configuration options for a given language. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Notes | |
The <compilers> element in machine.config provides a good example of the use of this element. Review that configuration section to see how the Visual Basic .NET, C#, and JScript .NET compilers are configured. |
|
| <customErrors> | |
<customErrors defaultRedirect=Url mode=mode > <error statusCode=httpStatusCode redirect=Url /> </customErrors> |
|
|
Specifies one or more pages to which users should be redirected if an unhandled exception is detected in an ASP.NET application. A default error page can be specified, as well as one or more error pages for specific HTTP error codes. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
<error> |
|
| Example | |
The example configures a default page to be displayed to remote clients when an unhandled exception is encountered: <configuration> <system.web> <customErrors defaultRedirect="Error.aspx" /> </system.web> </configuration> |
|
| Notes | |
If you set the mode attribute to RemoteOnly, you will only be able to see detailed error information from the local machine on which the pages are running. Remote requests will return the custom error page (if any) configured for the status code of the error that occurred. |
|
If you want to see the debug information provided by ASP.NET when an error occurs, the mode attribute should be set to Off. |
|
| <error> | |
<error statusCode=httpStatusCode redirect=Url /> |
|
|
Specifies a custom error page to handle redirections for a specific HTTP status code. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
The example configures a custom error page for 404 errors, and the default error page configured in the previous example: <configuration> <system.web> <customErrors defaultRedirect="Error.aspx"> <error statusCode="404" redirect="My404ErrorPage.aspx"/> </customErrors> </system.web> </configuration> |
|
| Notes | |
While custom error pages provide a convenient way to prevent users from seeing raw error messages (and perhaps provide more helpful messages), they are not a substitute for proper exception handling. By the time an error reaches a custom error page, recovering from the error gracefully will be much more difficult, which can degrade the experience of your users. |
|
| <globalization> | |
<globalization requestEncoding=encodingString responseEncoding=encodingString fileEncoding=encodingString culture=cultureString uiCulture=cultureString /> |
|
|
Provides attributes for configuring encoding and culture settings. These attributes are used as the basis for the expected encoding of requests, responses, and files for internationalization. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
This example shows how the default <globalization> settings are configured in web.config: <configuration> <system.web> <globalization requestEncoding="utf-8" responseEncoding="utf-8" /> </system.web> </configuration> |
|
| Notes | |
A list of valid culture strings can be found in the .NET Framework documentation for the System.Globalization.CultureInfo class. |
|
| <httpHandlers> | |
<httpHandlers> <add verb=httpVerbs path=pathInfo type=typeInfo validate=boolean /> <remove verb=httpVerbs path=pathInfo /> <clear /> </httpHandlers> |
|
|
Adds or removes HttpHandlers, which are used to provide request processing for a specified HTTP verb and/or file type or path. ASP.NET itself is set up as an HttpHandler for .aspx and .asmx files, and HttpHandlers are used to prevent downloading of source code for other ASP.NET file types, such as global.asax. |
|
| Scope | |
Any |
|
| Attributes | |
None |
|
Child
Elements
|
|
| Example | |
The example configures a custom HttpHandler for the file extension .aspnetian: <configuration> <system.web> <httpHandlers> <add verb="*" path="*.aspnetian" type="aspnetian.aspnetianHandler" /> </httpHandlers> </system.web> </configuration> |
|
| Notes | |
To make the example work properly, you need to map the file extension .aspnetian to the ASP.NET ISAPI handler, Otherwise, the request would never be handed to the custom HttpHandler. Chapter 9 has a step-by-step walkthrough of the process for mapping additional file types to the ASP.NET ISAPI handler. |
|
| <httpModules> | |
<httpModules> <add name=moduleName type=typeInfo /> <remove name=moduleName /> <clear /> </httpModules> |
|
|
Adds or removes HttpModules. HttpModules are special classes that participate in the processing of all application requests. Both ASP.NET caching and session state are implemented as HttpModules, as are the authentication and authorization features of ASP.NET. |
|
| <httpRuntime> | |
<httpRuntime appRequestQueueLimit=numRequests executionTimeout=numSeconds maxRequestLength=numKBytes minFreeLocalRequestFreeThreads=numThreads minFreeThreads=numThreads useFullyQualifiedRedirectUrl=boolean /> |
|
|
Contains attributes used to configure the settings for the ASP.NET HTTP runtime. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
This example forces client-side redirect URLs to be fully qualified, which is required for some of the mobile controls supplied in the Microsoft Mobile Internet Toolkit:
<configuration>
<system.web>
<httpRuntime
useFullyQualifiedRedirectUrl="true" />
</system.web>
</configuration>
|
|
| Notes | |
One of the most commonly customized attributes is maxRequestLength, since for sites that need to upload files, 4MB can be fairly limiting. Use caution when increasing this value, however; only increase it as much as necessary for the maximum file size you expect. Making this value too large can make your site vulnerable to denial-of-service attacks. |
|
| <identity> | |
<identity impersonate=boolean userName=string password=string /> |
|
|
Specifies whether request impersonation is enabled, as well as the identity to be used for requests made from the ASP.NET worker process and the password for that identity. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
The example turns on impersonation for the logged-in user authenticated by IIS:
<configuration>
<system.web>
<identity
impersonate="true"
userName="" />
</system.web>
</configuration>
|
|
| Notes | |
Because the password attribute stores passwords in readable text, you should carefully consider whether it makes sense to use this functionality. Storing sensitive information such as passwords in text files presents a potential security risk. |
|
| <machineKey> | |
<machineKey validationKey="autogenerate|value" decryptionKey="autogenerate|value" validation="SHA1|MD5|3DES" /> |
|
|
Specifies the settings for cryptographic keys used for validation and decryption of Forms Authentication cookies. |
|
| Scope | |
All |
|
Attributes
|
|
| Child Elements | |
None |
|
| Notes | |
For web farms, ensuring that the validationKey and decryptionKey values are synchronized across all servers in the farm is important. If they are not synchronized, you may get errors in Forms Authentication, ViewState errors, or problems with session state. |
|
| <pages> | |
<pages buffer=boolean enableSessionState="true|false|ReadOnly" enableViewState=boolean enableViewStateMac=boolean autoEventWireup=boolean smartNavigation=boolean pageBaseType=typeInfo userControlBaseType=typeInfo /> |
|
|
Contains attributes used to configure the default settings for ASP.NET pages and user controls. These settings can be overridden by attributes on the @ Page or @ Control directive. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
The example disables both Session state and ViewState at the page level:
<configuration>
<system.web>
<pages
enableSessionState="false"
enableViewState="false"/>
</system.web>
</configuration>
|
|
| Notes | |
The <pages> element is very useful for setting application-level (or folder-level) defaults for pages in your application. One possible use is to place pages that do not require access to session state in a separate folder and use the <pages> element to disable session state for that folder. In this case, a session will not be created for a user until the user requests a page in your application for which EnableSessionState is True. |
|
The default setting of EnableSessionState is True. It's important to remember this because the MAC check uses the settings in the <machineKey> element to create an encrypted version of the ViewState hidden field. In a web farm scenario, the <machineKey> settings for each server in the farm must match. Otherwise, the MAC check will fail when a user's initial request is handled by one server, while a subsequent postback is handled by another server with different settings for <machineKey>. |
|
| <processModel> | |
<processModel
enable=boolean
timeout="Infinite"|HH:MM:SS
idleTimeout="Infinite"|HH:MM:SS
shutdownTimeout="Infinite"|HH:MM:SS
requestLimit=numRequests
requestQueueLimit="Infinite"|numRequests
restartQueueLimit="Infinite"|numRequests
memoryLimit=percentMemory
cpuMask=cpuNumBitMask
webGarden=boolean
userName=username
password=password
logLevel="All|None|Errors"
clientConnectedCheck=HH:MM:SS
comAuthenticationLevel="Default|None|Connect|Call|Pkt|
PktIntegrity|PktPrivacy"
comImpersonationLevel="Default|Anonymous|Identify|Impersonate|
Delegate"
responseRestartDeadlockInterval="Infinite"|HH:MM:SS
responseDeadlockInterval="Infinite"|HH:MM:SS
maxWorkerThreads=numThreads
maxIoThreads=numThreads
serverErrorMessageFile=fileName />
|
|
|
Contains attributes used to configure the ASP.NET worker process in IIS 5. |
|
| Scope | |
Machine Only |
|
Attributes
|
|
| Child Elements | |
None |
|
| Notes | |
In IIS 6 native mode, the settings in the <processModel> element will be ignored. |
|
Because the settings in the <processModel> element are read by and applied to the unmanaged aspnet_isapi.dll handler that passes requests to the managed aspnet_wp.exe worker process (rather than by managed code), changes to the <processModel> element will not be applied until IIS is restarted. |
|
| <securityPolicy> | |
<securityPolicy>
<trustLevel
name=trustLevelName
policyFile=fileName />
</securityPolicy/>
|
|
|
Configures mappings of trust names (used by the <trust> element) to security policy files. The security policy files contain elements that configure the code access security permissions that are specific to that trust level. <securityPolicy> can contain one or more <trustLevel> elements. |
|
| Scope | |
Machine, Application |
|
| Attributes | |
None |
|
Child
Elements
|
|
| Example | |
This example comes from the default <securityPolicy> element in machine.config:
<securityPolicy>
<trustLevel
name="Full"
policyFile="internal" />
<trustLevel
name="High"
policyFile="web_hightrust.config" />
<trustLevel
name="Low"
policyFile="web_lowtrust.config" />
<trustLevel
name="None"
policyFile="web_notrust.config" />
</securityPolicy>
|
|
| Notes | |
For a specific application, if you want to modify the code access security permissions applied, you could create a new CAS policy file and map that file to a custom trust level by using the <trustLevel> element. To implement the new security policy, you would add a <trust> element to the web.config file of the desired application and use it to specify the mapped policy file by name. |
|
| <sessionState> | |
<sessionState mode="Off|Inproc|StateServer|SQLServer" cookieless=boolean timeout=numMinutes stateNetworkTimeout=numSeconds stateConnectionString="tcpip=server:port" sqlConnectionString=connString/> |
|
| Scope | |
Machine, Application |
|
Attributes
The default is InProc. |
|
| Child Elements | |
None |
|
| Example | |
The example configures session state to run in SQL Server mode without cookies:
<configuration>
<system.web>
<sessionState
mode="SQLServer"
cookieless="true"
sqlConnectionString="data source=myServer;trusted_
connection=true" />
</system.web>
</configuration>
|
|
| Notes | |
To use SQL Server mode with a trusted connection, the account identity of the ASP.NET worker process must have a login to the SQL Server database and must have permission to access the ASPState and TempDB databases. If you cannot use a trusted connection, you should create a special account specifically to access the state database, and use that account for the sqlConnectionString attribute. |
|
Note that when using either of the out-of-process session state modes, it's wise to use the EnableSessionState attribute of the @ Page directive to disable session state for pages in your application that do not use it. Otherwise, these pages will make unnecessary cross-machine calls to retrieve unused session state information. If you have a page that reads session data but does not alter it, you can also set the EnableSessionState attribute to ReadOnly to avoid the cross-machine call to store updated session data. |
|
| <trace> | |
<trace enabled=boolean localOnly=boolean pageOutput=boolean requestLimit=numRequests traceMode="SortByTime|SortByCategory" /> |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
This example turns tracing on at the application level:
</configuration>
<system.web>
<trace enabled="true" />
</system.web>
</configuration>
|
|
| Notes | |
Chapter 10 provides an overview of how to use the trace functionality of ASP.NET. |
|
| <trust> | |
<trust level="Full|High|Low|None" originUrl=URL /> |
|
|
Assigns a named trust level created with the <trustLevel> child element of the <securityPolicy> element to a machine, a site, or an application. |
|
| Scope | |
Machine, Application |
|
Attributes
|
|
| Child Elements | |
None |
|
| Example | |
This example sets the application CAS permissions, based on a custom trust level:
<configuration>
<system.web>
<trust level="myTrustLevel" />
</system.web>
</configuration>
|
|
| Notes | |
Make sure that you understand the security implications of using custom security policy mappings before using this element. Incorrect permissions can cause major problems for your application. |
|
| <location> | |
<location
path=pathToConfigure
allowOverride=boolean >
<system.web>
<! -- Configuration settings -- >
</system.web>
</location>
|
|
|
Allows you to prevent settings in machine.config or web.config from being overridden in child configuration files. You can also use it to configure settings for specific files or folders from a configuration file in a parent folder. |
|
| Scope | |
Any |
|
Attributes
|
|
| Child Elements | |
<system.web> |
|
| Example | |
The example, if used in machine.config, would force all applications on the machine to use Windows authentication:
<configuration>
<location
allowOverride="false">
<system.web>
<authentication mode="Windows">
</system.web>
</location>
<system.web>
<!-- Other configuration settings -->
</system.web>
</configuration>
|
|
| Notes | |
This tag provides powerful control over configuration. In addition to the scenario of enforcing an authentication method across all applications, you can also use the path attribute to configure multiple child folders or files from the web.config file in the root of the application. Using this configuration can avoid having a large number of child web.config files to manage for a larger application. |
|