Same application and directory but different web.config files? - asp.net

I doubt this is possible but one of our web applications is used by customers whereby they have a live/test database. At the moment updates have to go to both folders as there is a directory setup for both and the web.config file points to either the live or the test.
Is there some way I can use just the one directory but 2 web apps in IIS each using a different web.config file or something similar so only 1 place needs to be updated?

You can, but you would have to maintain things in a slightly different way. What you're not telling us is: Are the only places that you're using the separation of config values is in connectionStrings and appSettings? Or are there other differences?
Then you would really need to load these values out of a separate config file, not referenced by the existing config file, and not loaded using System.Configuration.ConfigurationManager or any of its namespaces/utilities. The next step would be to use the incoming URL to segregate the data being used by the settings class to know which of the two data points to load.
Otherwise, if you were to write the app in this manner, this is perfectly valid (just kind of goes against what we're used to doing in the rest of the world).

Depending on your database connection system, you could supply it with a connectionstring based on a usersetting rather than based on the web.config? There has to be some way of deciding which database a user wants to use, this could be something as simple as buttons or dropdown list for selecting, or keep the system with two folders but use an URL route to make them both point to the same files. Then when you instantiate your database connection you can supply the correct connectionstring and you're set.
Edit: After chat the solution has been to put two connectionstrings in web.config, one for the Test database and one for Production. Then add routing to pretend the two folders are still there, with the following basic idea:
routes.Add(new Route("{folder}/{page}", new PageRouteHandler("~/{page}")));
Lastly a function to decide which connectionstring to use based on the folder value in the routing values: Request.RequestContext.RouteData.Values["folder"], and a global refactor to use this dynamic connectionstring rather than a hardcoded one.
For having "multiple" web.configs, you can make a config section specific to a file path, see http://msdn.microsoft.com/en-us/library/b6x6shw7%28v=vs.71%29.aspx However I am not sure wheter this works for connectionstrings.
Example:
<configuration>
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>

Related

Set up IIS to use non-standard .config file

Is there a way to tell IIS to read configurations from a different file than web.config?
Why would anyone do this?
Convenience. When working with static resources like an .aspx, or .js, or an MVC view file, it is often sufficient to hit Refresh in the browser to see the effect of that change.
Also, more specific to our scenario is that we re-use some of our code-base in different flavors of the web site, their differences being defined in their respective .config files, and each of these sites run locally on our development clients.
Getting the change to a different location than the one you are actually working in is somewhat time-consuming: A Publish operation will properly compile and copy the entire web application to the target location, copying the individually changed file manually is often... fiddly.
So what I would like for to be possible is this:
I work on my project in c:\workbench\FlavMaster3000. In this folder I create the various flavors of web.config files:
web.apple.config
web.banana.config
web.cherry.config
I create sites in IIS that represents each flavour and set their directory to the same as above.
https://local-apple/
https://local-banana/
https://local-cherry/
And I would like for IIS to read each site's configurations from the respective flavor of .config.
Is this at all possible, or am I a dreamer with a hopeless dream?
-S
You can put your specific configuration in external file(s) and link those files in your web.config file as shown below. However downside is way web.config is watched for any changes in it and gets applied immediately when you save web.config, these external files will not be monitored and you will require to manually restart app pool.
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings configSource="Myconfigs/myappSettings.config"/>
<connectionStrings configSource="Myconfigs/myconnections.config"/>
<system.web>
<pages configSource="Myconfigs/mypages.config"/>
<profile configSource="Myconfigs/myprofile.config"/>
<httpHandlers configSource="Myconfigs/myhttpHandlers.config"/>
<httpModules configSource="Myconfigs/myhttpModules.config"/>
</system.web>
</configuration>

how can i use same web.config file for two web appliction?

I have two web application. Their folder hierarchy in server is like that.
first one is : .../firstapplitaion
second is : .../firstapplication/secondapplication/Default.aspx
At first can i run them with just firstapplication's web.config file? secondapplication's web config hasnt any special things.
Thanks for your helps..
One way would be to have a section in your web.config files point to an appropriate file, like this
<configuration>
<appSettings file="C:\MyCommonFolder\MyCommonAppSettings.config">
</appSettings>
</configuration>
Hope that helps
If the second app's web.config file is the same why bother to even run them as seperate apps? Why not just make them one app that uses the same web.config? Or were you trying to split them into seperate app pools?
What I have done in a similar situation was to have each site contain it's own seperate web.config but to move all of the shared pieces into my Machine.config. For me it's locatd in the C:\WINDOWS\Microsoft.NET\Framework\vX.X.XXX\Config folder (I would suggest backig it up first). Because of the way the config files work you can put settings in your machine.config and your websites will inherit these settigs. So put any shared settings there, with very unique names, and you should be set.

Restricting public access to a file on an ASP.NET site

Trying to prevent access to a specific file, not any files with a certain extention, just one specific file.
The issue is that the end user can just type: /filename.xml into their browser and can see the contents of this file, i'd rather they not be able to see this.
Things I have tried:
1) Putting the file elsewhere
I have a "secure" folder as part of my hosting account. So I figured i'd just change the path to: "..\..\..\SSL\FileName.xml" and move the file there. ASP.NET crashes on this one with the error:
Cannot use a leading .. to exit above the top directory
So I presume that's in place for security purposes.
2) Location in web.config
So next I tried to use this in the web.config:
<location path="FileName.xml">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
This doesn't seem to do anything.... anyone know why? I'm not specifically using ASP.NET authentication in this app, is that why this doesn't work?
3) Using IIS to prevent access
Alas, I do not have access to IIS as I have a terrifically lame hosting account.
So does anyone know what i'm doing wrong with the above attempts or have any alternative solutions I can try?
kthxbye!
Can you add the ASP.Net folder "App_Data" to your application, and put the xml file in there? This folder is specifically meant to hold this type of data and hide it from browsers/users, but keep it within your application scope.
alt text http://img178.imageshack.us/img178/7708/appdata.png
As to why the authorization directive in your web.config file is not working, it's because the ".xml" file extension is not handled by the ASP.Net pipeline. You would need to configure your IIS to send all requests for xml files through the ASP.Net request handlers in order to apply that security directive to it.
IIS Doesn't handle xml files (just post them to requester) and thus security does not work. Surprisingly on Mono platform in would work... anyway, You can make this workarounds:
Store file in really secure folder and access it using aspx page (file name as parameter)
Store file in db and rest like in 1
Store file whatever in Your hosting account folders and give it GUID name, then store GUID and real file name connection in DB and handle file download thru aspx page.

Different configuration files for development and production in ASP.NET application

On a project I'm working on we have a web application with three configuration files;
Web.Config
Web.Config.TestServer
Web.Config.LiveServer
When we release to the test server, Web.Config is renamed to Web.Config.Development and Web.Config.TestServer is renamed to Web.Config, making that configuration active for the application.
It is quite onerous keeping three very similar configuration files up to date, and this system is used across a number of applications which are part of this project; not just the website.
The differences in configuration are most commonly local directories or paths, URLs, IPs, port numbers, and email addresses.
I'm looking for a better way.
While your approach seems tedious, I find it to be the best approach.
I used to keep all of my configurations in a single web.config file, and simply had the "production" section commented out.
Shortly after this I had to do a "hybrid" test where my lookup data was coming from the production server, but the new data was being inserted into the test database. At that point I had to start piece-mealing what parts of the configuration block to comment/uncomment, and it became a nightmare.
Similarly, we have our server administrators do the actual migration from test to production, and most of them aren't fluent enough in .NET to know how to manage the web.config files. It is far easier for them to simply see a .test or .prod file and migrate the proper one up.
You could use something like a database to store all your configurations, but then you're running into another layer of abstraction and you have to manage that on top of things.
Once you get the knack or the template of how your two (or three) configuration files will be setup, it becomes a lot easier to manage them and you can have your test server configuration get modified for some unique testing without much hassle.
If you have a db server in the mix, you can create a table that has the config, the property name, and the property value in it, then all you have to do is change one value in the web.config, the config name (dev, test, prod).
If you have different dbs for each config, then the only thing that's different is the connection string.
Use Config Transformation and there is a blog here about it.
http://blogs.msdn.com/b/webdevtools/archive/2009/05/04/web-deployment-web-config-transformation.aspx
Basically you create targets named web.{build configuration}.config. In each target file you write your transformation where you can add, delete and modify nodes and attributes. Example could be
web.staging.configss
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<connectionStrings>
<add name="personalDB"
connectionString="Server=StagingBox; Database=personal; User Id=admin; password=StagingPersonalPassword"
providerName="System.Data.SqlClient" xdt:Transform="Replace" xdt:Locator="Match(name)" />
<add name="professionalDB"
connectionString="Server=StagingBox; Database=professional; User Id=professional; password=StagingProfessionalPassword"
providerName="System.Data.SqlClient" xdt:Transform="Replace" xdt:Locator="Match(name)"/>
</connectionStrings>
</configuration>
You then execute the transform by calling MSBuild {project file} /t:TransformWebConfig /p:Configuration=Staging

What replaces .htaccess on IIS/ASP.NET sites?

On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file.
Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance?
e.g. the ASPNETDB.MDF file that ASP.NET Configuration put in the App_Data directory. I would assume this is protected by default but where can I change the settings for this folder as I could with a .htaccess file?
Inside of an ASP.Net web.config you can setup locations to add security to specific files and folders. In addition, you can remove all verbs from those directories:
<location path="Secret" allowOverride="false">
<system.web>
<authorization>
<deny users="*" />
</authorization>
<httpHandlers>
<remove path="*.*" verb="*"/>
</httpHandlers>
</system.web>
</location>
I have only used the authorization portion of that snippet and it works great. The handler should further lock it down and using a ISAPI filter would be able to put the finishing touches on it.
Well, if you can access IIS settings, UrlScan can help. For IIS 7, request filtering can help a lot.
http://learn.iis.net/page.aspx/473/using-urlscan
http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/
There are some things you can do with web.config like defining security settings etc...
Other times you have to use HttpModules or HttpHandlers, look here:
http://msdn.microsoft.com/en-us/library/aa719858(VS.71).aspx
If not, you can find different ISAPI, but in this case you need access to IIS.
For example, the ISAPI for emulating rewrite mod apache:
> http://www.codeplex.com/IIRF
The other question, yes ASPNETDB.MDF in APP_Data is protected normally (it depends on your administrator). To change the path, change the connectionstring.
There are two cases:
If the server is using IIS7 then there is equivalent functionality available using the web.config approach for all files.
If the server is using IIS6 or earlier (and for the time being this is by far the most likely case for shared hosting) then its more of a problem. If you can force all your requests to go via the ASP.NET handler (which normally requires access to the server to configure) then again the web.config approach will work but otherwise you're going to need other tools and a sympathetic hosting provider. For this reason alone one probably wants IIS7...
That said for asp.net there are files that are protected by default anyway - files in app_data as already mentioned plus specific file types (like .config). Additionally one would expect a decent host to provide a directory that is not accessible via the web - ours offer a private and a web folder, both accessible via FTP but only the contents of the latter via the web.
As per the [documentation on Application Folders][1], IIS won't serve requests to content stored in the /app_data folder although your application can read and interact with those files.
ASP.NET recognizes certain folder names that you can use for specific types of content. The following table lists the reserved folder names and the type of files that the folders typically contain.
Note
The content of application folders, except for the App_Themes folder, is not served in response to Web requests, but it can be accessed from application code.

Resources