I know that there at least two approaches to leverage the web.config file:
using the configSource attribute which was introduced in .NET 2.0 - here is a good blog entry about it.
The file attribute of the appSettings tag which lets you point to an external file with a relative path. Described in the MSDN documentation on the appSettings element.
Now, my problem is that both approaches work well only for physical paths. But I need to address a config file which is in a virtual directory.
Which other method could I use to put my config resources in a virtual directory?
Note: I want to do it this way, because I have multiple instances of my web application on the same server (and that on many servers). To keep deployment easy and clean, I want to keep one directory for all the files (aspx, ascx, images, css, js etc.) and point the web apps in IIS for different customers (=domains, https etc.) to this single directory. In every IIS web I would have a virtual directory called "custom" which points to a different folder for each web.
Update: I'd like to point out that this virtual directory "custom" is not suited to contain an inherited web.config - that web.config would be valid only for the custom folder which doesn't contain aspx/ascx files.
I have the same scenario and after reading you post I realised that asp.net won't let you do this for various security reasons.
Therefore I turned to the OS to find an equivalent to the Linux soft link function which in turn led me to the Junction utility from sysinternals. This can create a directory that is actually any other directory on that volume and asp.net can't tell the difference and so happy loads the config sections that are not actually in a subdirectory of you website. Works for me :)
Virtual Directories can be set as applications, and you can just place another web.config there.
It will inherit any changes from the parent config, and you can add custom settings in it.
I was looking to do the same thing but it did not work, so I decided to do the opposite, as you know the web.config can be inherited, so I pointed IIS to a folder containing the client config (connection string, file path etc) files and the website files i put them on a virtual directory with the rest of the webconfig (where it load dll and other application files needed)
So basically i can use the website files to multple clients and the clients with their own Database connection string and other specific client settings.
Related
Strange question but hopefully its possible.
we have files in the root of our site (/files) these are uploaded through the main cms side of the website (/admin) and to be accessed by people who have access to the (/school) directory.
At the moment, if you have the direct link URL EDIT TO THE FILE you can gain access to the file
the files folder has its own web.config file with some rules, is there a way i can add some of my own authentication within the web.config to only allow requests that come from the School folder to have access to the files?
In my head i would have a piece of VB code that does something like this:
If (Request.UrlReferrer <> Nothing) Then
If Page.Request.UrlReferrer.ToString.Contains("/School/") = True Then
???
End If
Else
Response.Redirect("index.aspx")
End If
I've tested this in a simple page and it seems to work okay.
Well, I would assume that the users who can use school folder are memembers of a secuirty role called School (or some such).
thus, any user not a member of school can't use the pages (or files) in the school folder.
Since you want the SAME restricitons for the folder files, then use the same web.config to secure the files folder.
That will mean only users who can use the shools folders will also be the same group of people that only use the files folder.
Now the above will not stop members of securty role "school" from typing in any valid URL to the files folder. So, if you want to prevent this, then I would suggest that for all files up-loaded, you create a folder inside of files folder based on their PK row in the membership table (Memebership.ProviderKey).
Then what you would do is turn off all role groups rights to the files folder. I perfer not EVER allowing a direct URL to files.
Remember, only IIS respects the IIS security settings and provider for a web based URL. Code behind is 100% free to load, read, write, use, play with ANY file via code behind. Code behind uses plain jane FULL path names - and those path names and file names used by code behind does NOT care nor use IIS security settings. Only web based URL's dish out by IIS respect and use the IIS security settings you have for the schools folder. So, copy the web.config for schools over to files, and you are done.
But, code behind? it does not care nor use those settings at all.
So, code behind does NOT use nor respect nor care about IIS security settings. IIS role membership ONLY applies to the asp.net pages and web based URL's. But, code behind is a 100% free to get and grab any file on the system - even files outside of the wwwroot path name of the web site.
So, as a 2nd level and better security?
I would not allow ANY URL's to the files folder.
You then display a grid or list of files on the web page, and code behind for the download button can then go read/get the file (you can use TransMitFile to download that file)
So, best approach is to not allow ANY valid URL's to the files folder.
However, for now, since you only want people who can use the schools folder also be the SAME people that can use the files folder? Then just use the same web.config for both folders - only those people with role of "school" will thus have use and rights to the files folder.
From the information you provided, then you don't really need any code changes - only to take the security settings from the school folder web.config, and copy that to the files folder, and you should be done.
Now, it is possible that the schools folder is not secured by using IIS security and roles - but then again, that would a epic face plant and horrible design choice.
I've had a very frustrating experience on putting an MVC 5 app on Azure. I have been reading the following page: http://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure
But what I haven't managed to put in my head is the following:
Security Warning: Do not add your secrets .config file to your project or check it into source control. By default, Visual Studio sets the Build Action to Content, which means the file is deployed. For more information see Why don't all of the files in my project folder get deployed? Although you can use any extension for the secrets .config file, it's best to keep it .config, as config files are not served by IIS. Notice also that the AppSettingsSecrets.config file is two directory levels up from the web.config file, so it's completely out of the solution directory. By moving the file out of the solution directory, "git add *" won't add it to your repository.
And:
Security Warning: Unlike the AppSettingsSecrets.config file, the external connection strings file must be in the same directory as the root web.config file, so you'll have to take precautions to ensure you don't check it into your source repository.
The problem is the following: When I upload the Web.config file with the external files without being included I get hit by "The System cannot find the file specified", so for it to go away I must include the .config files defeating the purpose of Microsoft's post.
I really really really do not understand. I have added the connectionStrings and appSetting's keys in Azure's portal. What is the correct and secured way of putting my passwords and secrets online? What am I missing? Is it because I'm running in Debug mode?
According to this:
How can I secure passwords stored inside web.config?
There is nothing to worry about accessing the Web.config file...
But that just defies Microsoft's post.
Thanks.
I find the following technique to be the easiest way to do this.
Instead of putting the deployment values of these settings into the web.config, I keep the test values in there instead. I then put the deployment values into the Application Settings section of the Azure Website via the Azure Portal:
When the website runs, these settings will take precedence over what is in the web.config. This helps me avoid externalized files, allows me to keep sane development configuration that the team can share, and makes deployment very easy.
The best way is to set your secrets in the Connection Strings section of the portal. Any values set there will override values you specify in your web.config file.
This way they are only exposed to people who have admin access over the site itself. Having full access to the source won't even be enough to get the secret values.
More details here
I am looking to use the below asp.net 4.0 web application structure but not quite sure how to achieve my result as explained below. What configuration will be needed to handle path issues for referencing both. For example ~/css/style.css needs to dig into the WEBSITE. I know I will have to create a helper for RESOURCES -- WebResourcePath("images/image1.jpg") returns full path if that works in a separate virtual directory?
Default Web Site
>SAR-GROUPS
SARGROUPS_WEBSITE
SARGROUPS_RESOURCES
All website files like aspx, js, css, etc. normal web files go in the WEBSITE folder. The RESOURCES folder will contain other files like pdfs, xml, txt, images, and files . These files will not need to be uploaded or updated during deployments and can remain untouched. When I deploy the WEBSITE I only need to delete the WEBSITE folder and copy the new precompiled folder in SAR-GROUPS again. I have to deploy like this as it is automated deployment from scrips that run so this is an xcopy deployment.
Does anyone have good practices or a working setup to achieve this. I am not looking at alternate methods unless it cannot be done or the other way is much better for auto builds.
Thanks
If the files in the SARGROUPS_WEBSITE directory need to reference resources in the SARGROUPS_RESOURCES directory then why not just make the SARGROUPS_RESOURCES virtual directory inside the SARGROUPS_WEBSITE directory? This way you can point the SARGROUPS_RESOURCES virtual directory at a physical location on the disk and delete the contents of SARGROUPS_WEBSITE without touching the resources.
So structure would be
Default Web Site
>SAR-GROUPS
SARGROUPS_WEBSITE
SARGROUPS_RESOURCES
But the physical structure could be anything
You can then reference them like
~/SARGROUPS_RESOURCES/css/style.css
*untested
EDIT
You've totally not understood my answer and/or virtual folders.
Physical structure example:
D:\Inetpub\WEBSITE
D:\Inetpub\RESOURCES
IIS structure:
IIS Root -> Site (that is a website and points to D:\Inetpub\WEBSITE)
IIS Root -> Site > Resources (that is a virtual directory and points to D:\Inetpub\RESOURCES)
Doing a project between multiple people, and a few components (web app, services app and some others). We will be storing some information inside the Content folder of the web app so it can be accessed directly from the web server with an href, however other components outside of the web app need to access this folder as well, and since we are sharing the project between multiple people using an absolute path is not an option. What options do we have?
EDIT: Trying to explain it a little better.
What i have exactly is, a web project, a "data project" which is just a dll, a "logic" project which is another dll and a services project which is an exe/service.
Both the web project and service project consumes the methods from the logic, and the logic from the data project. Being the last one the responsable for storing data (in a database) and also in the file system.
This "filesystem" path should be configurable, and we are aiming to put it into the content folder of the web project so multimedia files can be accessed directly rather than doing a byte stream.
Now in the web.config(config file of the web app), and app.config(config file of the services app) i could set the absolute path to web/content (the same for both config files) and the data dll would use it without problems. Now the main problem is that we cannot put an absolute path in the config file because each person works on a different computer with obviously different file paths. So if i could just write something like: ~/project/Web/Content rather than C:/myfolder/stuff/blabla/project/web/content in the config files, with ~ resolving the path to the project, this is what i want! Or maybe better ideas about how to share a folder with these apps without adding absolute paths hardcoded somewhere.
What you want to use is:
Server.MapPath("/Content/filepath.ext");
This will give you the absolute path of a file based on it's position within the website, in this case, from the /Content directory.
For a program external to the website, you have a couple options;
The easiest to implement might be a simple configuration value in the external program which points to the directory. My guess is you've already decided that's not ideal, but it may be the quickest way.
Alternatively, there's a Microsoft .NET assembly which gives you easy access to IIS information (I can't recall its name off the top of my head!). You could use this assembly to find the appropriate website, and retrieve its root directory. I'll see if I can find it and get an example, or maybe someone else will see this and post an answer with that information.
Please check the following method "ResolveClientUrl"
MSDN
Use the ResolveClientUrl method to return a URL string suitable for use by the client to access resources on the Web server, such as image files, links to additional pages, and so on.
http://msdn.microsoft.com/en-us/library/system.web.ui.control.resolveclienturl.aspx
The server is IIS7.
Is there a way to disable web.config files in subfolders?
I am asking because, I have a folder on the web server that is for uploads. When someone uploads files, a new folder is created for the user's session and the files they upload go in the folder.
So the path to uploads would be like this:
~/uploads/3F2504E0-4F89-11D3-9A0C-0305E82C3301/somefile.txt
In the ~/uploads/ directory there is a web.config file that removes all http handlers except the static file handler and adds a wildcard mime type. So every file that a user uploads will only ever be served statically.
If a user uploads a web.config file, I want to disallow any of the settings in that file from being applied.
How can I do this?
EDIT
Could I just make the upload folder an application that is a member of an application pool configured to run in Classic mode instead of Integrated Pipeline mode? That way it wouldn't even care about a web.config file.
EDIT 2
Is there another type of webserver I could install for serving all files statically? I could just access the files through a different port. Is there some software that I can be sure wont run any scripts and is safe.
I simply wouldn't allow them to upload a file with that name. In fact, I normally wouldn't trust any filename that the user gave me... makes a great candidate for an injection-style attack.
Ok I have a different angle on this...
What if your uploads folder was not part of the website and instead part of the file system? This way ASP.NET is not processing requests to the folder and thus web.config wouldn't be loaded by the ASP.NET runtime.
You'd have to give your app pool's account read/write access to the file system where these files are stored, but I think it better fits what you're trying to accomplish.
Obviously it could be done in code.
If the folders always exist, you could pre-populate with a web.config with no (significant) content and an ACL to ensure it cannot be overwritten, but looking at the path it I suspect you create the upload folders dynamically which means this would not work.
I don't believe there is a way to tell IIS not to use a web.config (but I could be wrong). Personally, I would add a check to my save code and rename the file.
Why not just check the filename first to prevent the user from uploading a file named web.config? You're probably going to want to check for other things too before allowing the upload - files that are too big, etc.