ASP.NET Configuration Scenarios
When the server receives a request for a particular Web resource, ASP.NET computes the configuration settings for that resource hierarchically, using all configuration files that are located in the virtual directory path for the requested URL. The most local configuration settings override settings in parent configuration files.
Configuration Scenario 1
For example, you could have a Web site with the following physical file structure, where the
Application Root directory is the application virtual directory.
Normally, the last configuration setting overwrites settings for the same section provided in parent directories. In the case of a collection element, the settings are not overridden; they are added to the collection.
A custom section handler might implement a different inheritance scheme.
Assume that there is a Web.config file in the
SubDir1 directory and none in the
Application Root or
SubDir2 directories. In this case, ASP.NET is using three configuration files to compute the configuration settings for the
SubDir1 directory. The highest-level file is the one located in the %systemroot%\Microsoft .NET \Framework\versionNumber\CONFIG directory. This file, which is named Machine.config, is at the machine level. All of the .NET Framework applications that run the specified version of the .NET Framework (versionNumber) inherit settings from this file. The next highest-level file is the root Web.config file, which is in the same location. All ASP.NET applications that run the specified version of the .NET Framework inherit its settings. The third configuration file is the Web.config file, which is located in the
Assume that the Web.config file in the
SubDir1 directory contains the anonymousIdentification element with the enabled attribute set to true. The default setting for the enabled attribute is false. This is an internal default and is not specified in any of the root configuration files. Since there is no configuration file in the
Application Root or
SubDir2 directories that modifies the anonymousIdentification element, anonymous users do not have access to the ASP.NET resources in these directories. However, anonymous users do have access to the ASP.NET resources in the
The ASP.NET configuration system applies only to ASP.NET resources, which are the resources registered to be handled by ASP.NET using Aspnet_isapi.dll. By default, the configuration system does not provide authorization for non-ASP.NET resources. ASP, HTML, TXT, GIF, and JPEG files, for example, are accessible by all users. In the preceding example, if directory browsing is enabled and no other restrictions are in place, all users can view non-ASP.NET files located in the application root directory,
Configuration Scenario 2
The following Web site has a file structure in which the application virtual directory maps to the application root directory (
MyAppRootDir SubDir1 SubDir1A SubDir2
Except during conditions described in the "Restrictions on ASP.NET Inheritance" section in ASP.NET Configuration File Hierarchy and Inheritance, a configuration setting in any directory overrides the settings written in parent directories. For example, you can configure the application settings to grant all users access to the ASP.NET resources in
SubDir2, but grant only selected users access to the ASP.NET resources in
SubDir1A, by completing the following steps:
MyAppRootDiras is. The ASP.NET resources in
MyAppRootDirinherit the default settings from the Machine.config file, one of which allows anonymous access. At this stage,
MyAppRootDirand the three subdirectories inherit this authentication setting.
Place a Web.config file in
SubDir1with authentication set to allow only selected users access to
SubDir1. This overrides the anonymous access allowed by the setting in the Machine.config file and inherits downward to
SubDir2, which is at the same level as
SubDir1, does not inherit the authentication setting in
All ASP.NET applications inherit the default settings in the Web.config file at the root Web level. The default setting for the security configuration section of this file allows all users to access all URL resources. There is no configuration file in the example's application root directory that modifies security, so all users have access to the ASP.NET resources in it (because that directory inherits from the machine-level configuration file). If the Web.config file in the
SubDir1 directory contains a security configuration section that grants access only to certain users, then
SubDir1A inherits that setting. Thus, all users have access to the ASP.NET resources in the application root directory and in
SubDir2, but only selected users have access to the ASP.NET resources in
Configuration Scenario 3
Configuration settings for virtual directories, which are friendly names for directories that simplify access paths and hide the names of real directories, are independent of physical-directory structure. As a result, virtual directories must be organized carefully to avoid configuration problems. For example, you might set up virtual directories to retrieve the ASP.NET page named MyResource.aspx from the following physical directory structure.
MyDir SubDir1 (mapped from VDir1) SubDir1A (mapped from VDir1A) MyResource.aspx SubDir2
In this example, there is a Web.config file in
SubDir1 and another Web.config file in
SubDir1A. If a client accesses C:\Subdir1\Subdir1A\MyResource.aspx using the URL http://localhost/vdir1/subdir1A/MyResource.aspx, the resource inherits configuration settings from
Vdir1. However, if the client accesses the same resource using the URL http://localhost/vdir1A/MyResource.aspx, it does not inherit settings from
Vdir1. Therefore, creating virtual directories in this manner is not recommended because it can cause unexpected results or even an application failure.
Internet Information Services (IIS) is the Web server for all resources published over the Web. The ASP.NET configuration system applies only to ASP.NET resources, which are the resources that are registered to be handled by ASP.NET using Aspnet_isapi.dll. By default, the configuration system does not provide security for non-ASP.NET resources. For example, ASP, HTML, TXT, GIF, and JPEG files are accessible by all users. In the preceding example, if directory browsing is enabled and no other restrictions are in place, all users can view non-ASP.NET files located in the application root directory,