JavaScript EditorJavascript debugger     Javascript examples


Team LiB
Previous Section Next Section

Appendix B: ASP.NET Configuration Elements

Overview

This appendix lists the syntax for each configuration element and describes the attributes and child elements available for that element (where applicable). The names of configuration elements and their attributes are case sensitive and are in what is referred to as camel case. In camel case, the entire first word of a name is lowercase, and the initial letter of each additional word in the name is capitalized. For example, the sessionstate configuration element becomes sessionState. Remember that if you don’t use camel case with both configuration element names and attribute names, you’ll get an error when you try to access a page in the application.

<trace>

The <trace> element allows you to enable or disable application-wide tracing (see Chapter 14 for more information on this useful feature), as well as set the parameters for the tracing functionality. When tracing is enabled, you can review information about requests received by the Web server with the special URL http://<servername>/<appname>/trace.axd. The <trace> element has the following syntax:

<trac    enabled="true|false    localOnly="true|false    pageOutput="true|false    requestLimit="integer    traceMode="SortByTime|SortByCategory" />

Table B-1 describes the <trace> element attributes in more detail.

Table B-1: <trace> Element Attributes

Attribute

Description

Options

enabled

Determines whether application-level tracing is enabled for the application.

true: Turns on application-level tracing.

false: Turns off application-level tracing.

The default is false.

localOnly

Determines whether trace information is viewable by computers other than the local Web server.

true: Trace output can be viewed only from the local Web server.

false: Trace output is viewable from any machine.

The default is true.

pageOutput

Determines whether trace output is appended to each ASP.NET page in the application or is available only through trace.axd.

true: Trace output is appended to each page within the scope of the configuration file.

false: Trace output is available only by browsing the special trace.axd URL.

The default is false.

requestLimit

Determines the number of requests that are stored for review through the trace.axd URL. Once this limit has been reached, the current trace must be cleared by browsing trace.axd to collect information on additional requests.

The default is 10, but the higher this number, the more overhead is involved in tracing. Set this number as small as is feasible.

traceMode

Determines the sort order of the requests stored.

SortByTime: Sorts trace information by the order in which events are processed. SortByCategory: Sorts trace information alphabetically by category. When used with the Trace.Write method, SortByCategory can be useful for grouping Trace.Write statements using the same category argument. The default is SortByTime.

<globalization>

The <globalization> element controls globalization settings for ASP.NET applications. This includes the encoding used for requests, responses, and files, as well as settings for specifying the culture to be associated with Web requests and local searches. The <globalization> element has the following syntax:

<globalizatio    culture="any valid culture string    fileEncoding="any valid encoding string    requestEncoding="any valid encoding string    responseEncoding="any valid encoding string    uiCulture="any valid culture string" />

Table B-2 describes the <globalization> element attributes in more detail.

Table B-2: <globalization> Element Attributes

Attribute

Description

Options

culture

Determines the culture (such as language defaults) used to process incoming Web requests.

This attribute must be set to a valid culture string. For a list of valid culture strings, see the Microsoft .NET Framework documentation entry for the System.Globalization.CultureInfo class.

fileEncoding

Determines the type of character encoding used for parsing ASP.NET application files (.aspx, .asmx, and .asax).

This attribute must be set to a valid encoding string. If this attribute is not included in either Machine.config or Web.config, encoding is based on the machine’s Regional Options setting in Control Panel.

requestEncoding

Determines the type of character encoding used to process incoming Web requests.

This attribute must be set to a valid encoding string. If this attribute is not included in either Machine.config or Web.config, encoding is based on the machine’s Regional Options setting in Control Panel. The default is utf-8.

responseEncoding

Determines the type of character encoding used to encode outgoing responses.

This attribute must be set to a valid encoding string. If this attribute is not included in either Machine.config or Web.config, encoding is based on the machine’s Regional Options setting in Control Panel. The default is utf-8.

uiCulture

Determines the culture (such as language defaults) used to process searches that are culture- or locale-specific.

This attribute must be set to a valid culture string. For a list of valid culture strings, see the .NET Framework documentation entry for the System.Globalization.CultureInfo class.

<httpRuntime>

The <httpRuntime> element controls several aspects of the ASP.NET HTTP runtime engine. The <httpRuntime> element has the following syntax:

<httpRuntim    appRequestQueueLimit="number of requests enableKernelOutputCache="true|false enableVersionHeader="string    executionTimeout="seconds    maxRequestLength="kbytes    minLocalRequestFreeThreads="number of threads    minFreeThreads="number of threads    useFullyQualifiedRedirectUrl="true|false" />

Table B-3 describes the <httpRuntime> element attributes in more detail.

Table B-3: <httpRuntime> Element Attributes

Attribute

Description

Options

appRequestQueueLimit

Specifies the number of requests that ASP.NET will queue when no threads are available to process them, before returning a “503– Server Too Busy” error message.

Increasing this value can result in unacceptably long wait times for users, so use caution and test carefully when making adjustments to this value. The default is 100.

enableKernelOutputCache

Specifies whether the http.sys cache is enabled for IIS 6.0 and higher. New for version 1.1.

Kernel output caching can significantly improve performance. The default is true.

enableVersionHeader

Specifies whether the X-AspNet-Version header is output with each request. New for version 1.1.

The default is true.

executionTimeout

Determines amount of time, in seconds, that an ASP.NET request can continue executing before being shut down.

This attribute, which is similar to classic ASP’s Server.ScriptTimeout property, can be used to prevent hung or long- running requests from consuming more resources than necessary. This attribute should be set somewhere higher than the average time it takes to process requests, but not so high as to allow processor overutilization by errant or inefficient pages. The default is 90 seconds.

maxRequestLength

Determines maximum size of incoming file uploads, in kilobytes.

This attribute is designed to help prevent denial of service attacks mounted by uploading large files to a server. Set it to the smallest size feasible for files you expect your users to upload. The default is 4,096 kbytes.

minFreeThreads

Configures the minimum number of threads ASP.NET will keep free for processing new requests.

The default is 8.

minLocalRequestFreeThreads

Configures the minimum FreeThreads number of threads ASP.NET will keep free for processing requests coming from the local machine. Maintaining these free threads can help prevent deadlocks in multithreaded processing. Note that this is incorrectly identified in the current .NET Framework documentation as minFree LocalRequestFreeThreads.

The default is 4.

useFullyQualifiedRedirectURL

Determines whether relative or fully qualified URLs are used for client-side redirects. This attribute allows developers to support certain mobile controls that require fully qualified URLs for client-side redirects.

true: Client-side redirects are fully qualified.

false: Client-side redirects are relative. The default is true.

<compilation>

With 10 attributes and two child elements, the <compilation> element is one of the more extensive ASP.NET configuration elements and contains settings that determine how ASP.NET compiles code in your Web applications and Web Services. The settings you’ll see most frequently are the debug and defaultLanguage attributes, which are placed in your application’s Web.config file by default when you’re using Microsoft Visual Studio .NET. Other settings, such as the <assemblies> and <namespaces> child elements, are equally important but usually are inherited from the settings in Machine.config, unless overridden by a developer.

The <compilation> element has the following syntax:

<compilatio    batch="true|false    batchTimeout="seconds    debug="true|false    defaultLanguage="language    explicit="true|false    maxBatchSize="number of pages    maxBatchGeneratedFileSize="kbytes    numRecompilesBeforeAppRestart="number    strict="true|false    tempdirectory="directory" >    <compilers>       <compile          extension="file extension          language="language          compilerOptions="compiler options          type=".NET type          warningLevel="number" />    </compilers>    <assemblies>       <add assembly="assembly name" />       <remove assembly="assembly name" />       <clear />    </assemblies> </compilation>

Table B-4 describes the <compilation> element attributes in more detail.

Table B-4: <compilation> Element Attributes

Element

Attribute

Description

Options

<compilation>

 

Determines compiler options for the application. Supports the <compilers> and <assemblies> child elements.

 
 

Batch

Determines whether the application supports batch compilation of ASP.NET pages. When batch compilation is enabled, ASP.NET will attempt to compile all ASP.NET pages within the application directory on the first request. This prevents later page requests from having to be compiled on request.

true: Batch compilation is supported.

false: Pages will be compiled one by one as they are requested.

The default is true.

 

BatchTimeout

Determines the amount of time, in seconds, before timeout of batch compilation. If the timeout is exceeded, the compiler will switch to per- request compilation mode.

This setting will vary depending on the size of an application and the amount of time you are willing to allow for batch compilation.

The default is 15 seconds.

 

Debug

Determines whether debug information is included in compiled assemblies for ASP.NET pages and Web Services. This attribute should always be set to false in a production application because debug assemblies are larger and don’t perform as well as release-type assemblies.

true: Assemblies are compiled with debug info.

false: Assemblies are compiled without debug info.

The default is false.

 

DefaultLanguage

Determines the language(s) to be used during dynamic compilation.

This attribute is the name of a language, as specified by one of the <compiler> child elements.

The default is vb.

 

Explicit

Determines whether ASP.NET compiles pages written in Microsoft Visual Basic .NET using the Visual Basic Option Explicit compiler option (which forces explicit declaration of variables). Enabling this setting makes it easier to locate and fix common problems, such as misspelled variable names, that otherwise wouldn’t be discovered until runtime.

true: Enabled.

false: Disabled.

The default is true.

 

maxBatchSize

Determines the maximum number of pages for batch compilation.

The default is 1,000.

 

maxBatchGeneratedFileSize

Determines the maximum combined size, in KB, of the generated source files in batch compilation.

The default is 3,000.

 

numRecompiles- BeforeAppRestart

Determines how many times application resources can be dynamically recompiled before the application is automatically restarted. This setting can be configured at both the application level and the global level through Machine.config.

The default is 15.

 

strict

Determines whether ASP.NET compiles pages written in Visual Basic .NET using the Visual Basic Option Strict compiler option (which prevents type conversions that would result in data loss, late binding, and other error-prone coding habits) to your .aspx files before compilation.

true: Enabled.

false: Disabled. It’s a good practice to turn this on, through either Machine.config or Web.config, through the Visual Studio .NET properties dialog box for the project (choose Build under Common Properties), or by adding Option Strict to the page or module you’re working on. This makes it easier to fix common problems, such as overflows or rounding errors, that otherwise wouldn’t be discovered until runtime.

The default is false.

 

tempDirectory

Determines the directory in which the temporary ASP.NET files resulting from dynamic compilation will reside.

Any valid directory.

<compilers>

 

Child element containing individual <compiler> child elements.

 

<compiler>

 

Determines options for specific language compilers. One or more of these child elements can be contained within the <compilers> element.

 
 

extension

Determines the file extension used by dynamically compiled code-behind modules for a specific compiler. The extensions for the three most commonly used ASP.NET languages (Visual Basic .NET, Microsoft C#, and Microsoft JScript .NET) are included in Machine.config, so you don’t need to set them yourself unless you want to add additional extensions for one of these languages.

String representing the file extension (.vb, .cs, and so on). Use semicolons to delimit multiple extensions. This setting should match the language specified in the language attribute. This attribute is required.

 

language

Determines the list of language names to be handled by a specific compiler. The names for the three most commonly used ASP.NET languages (Visual Basic .NET, C#, and JScript .NET) are included in Machine.config, so you don’t need to set them yourself unless you want to add additional names for one of these languages.

String representing the language name (vb;visualbasic; vbscript). Use semicolons to delimit multiple names. This setting should match the language specified in the extension attribute. This attribute is required.

 

compilerOptions

Determines any compiler- specific options to be passed along during compilation.

Consult the .NET Framework SDK documentation to determine available options.

 

Type

Determines which .NET class or assembly is used to compile resources using the language specified in the language attribute, or with the extension in the extension attribute. The types for the three most commonly used ASP.NET languages (Visual Basic .NET, C#, and JScript .NET) are included in Machine.config, so you don’t need to set them yourself unless you want to modify the type for one of these languages (not recommended).

This attribute is a comma-delimited list that can include the class name, assembly name, and version information. The Machine.config file contains good examples of the syntax for this attribute. This attribute is required.

 

warningLevel

Determines the compiler warning levels, which determine the types of warning messages (and the severity) that are emitted by the compiler.

The value for this attribute depends on the language compiler being configured. The default for C# is 1.

<assemblies>

 

Child element containing one or more of the <add/>, <remove/>, or <clear/> child elements.

The child elements of the <assemblies> element are used to add references to assemblies to be used during compilation. ASP.NET automatically links in the assemblies specified here during dynamic compilation.

 

<clear>

 

Specifies that all current or inherited assembly references should be removed.

<add>

assembly

Specifies an assembly, by its assembly name, to be referenced during dynamic compilation.

This setting should be the assembly name, not the DLL name, of the desired assembly. You can also use the wildcard * to add all assemblies from the application’s private assembly cache (by default, in the bin subdirectory).

<remove>

assembly

Specifies an assembly, by its assembly name, to be removed from use during dynamic compilation.

The assembly name used must match exactly the name of an assembly added by a previous add directive (for example, from a parent Web.config). You cannot use wildcards for this attribute.

<pages>

The <pages> element allows you to set the defaults for the page-level attributes that are more commonly associated with the attributes of the @ Page ASP.NET directive. The settings in this element apply to all pages for which specific attributes of the @ Page directive do not appear. If these attributes do appear in an ASP.NET page, their settings will override those in either the Machine.config or Web.config configuration files. As such, the <pages> element provides a handy way of configuring the SessionState, ViewState, and other settings at an application or subfolder level, giving you a great deal of control over your application.

The <pages> element has the following syntax:

<page    autoEventWireup="true|false    buffer="true|false    enableSessionState="true|false|ReadOnly    enableViewState="true|false    enableViewStateMac="true|false    pageBaseType="typename, assembly    smartNavigation="true|false    userControlBaseType="typename validateRequest="true|false" />

Table B-5 describes the <pages> element attributes in more detail.

Table B-5: <pages> Element Attributes

Attribute

Description

Options

autoEventWireup

Determines whether support for page events (Page_Load and so on) is automatically provided in an application’s ASP.NET pages.

true: Event support is provided automatically.

false: Event support is not provided. Event handlers must be manually wired by developers. The default is true. Pages created in Visual Studio .NET will have autoEventWireup set to false by default.

Buffer

Determines whether responses are buffered before being sent to the client. This setting is analogous to the classic ASP Response.Buffer property.

true: Buffering is enabled. Page output will be buffered until the page is completely processed, or until either the End or Flush method of the HTTPResponse class is called.

false: Buffering is not enabled. Buffering is to the client as it is rendered.

The default is true.

PageBaseType

Provides the type or assembly name of a class from which ASP.NET pages should inherit. In the absence of this attribute, the default is to inherit from the Page class of the System.Web.UI namespace.

You can use this attribute to provide a class derived from the Page class if you want to provide additional functionality not included in the base Page class. This is a simple yet powerful way to extend ASP.NET applications.

smartNavigation

Determines whether the SmartNavigation feature, which uses IFrame elements to minimize page “flash” on postbacks, is enabled by default.

The default is false.

userControlBaseType

Provides the type or assembly name of a class from which ASP.NET User Controls (.ascx files) should inherit. In the absence of this attribute, the default is to inherit from the UserControl class of the System.Web.UI namespace.

 

enableSessionState

Determines whether a new session is created by default for the current user by an ASP.NET page. Note that if the user already has a session from a prior page in which this attribute is set to false, this attribute will not affect that session. However, setting the attribute to ReadOnly will prevent the page from modifying values set in previous pages.

true: If the user does not have a current session when he or she requests a page, a new session will be created.

false: If the user does not have a current session, one will not be created. If the user does have a session, it will not be affected, but its values cannot be accessed from pages where this attribute is false. ReadOnly: If the user does not have a current session, one will not be created. If the user does have a session, its values can be read from within a page where this attribute has been set to ReadOnly, but they cannot be modified.

The default is true.

enableViewState

Determines whether ViewState (the method by which ASP.NET Server Controls store their state between page requests) is enabled.

true: ViewState is enabled. Server Controls will maintain their values from one request to the next.

false: ViewState is not enabled. Server control state will be reset with each request.

enableViewStateMac

Determines whether a Machine Authentication Check (MAC) is performed on ViewState data when a Web Form is posted back to the server. The MAC can help identify client-side tampering with the ViewState hidden field.

true: MAC is enabled for ViewState.

false: MAC is not enabled for ViewState.

The default is true.

validateRequest

Specifies whether request validation is enabled for pages affected by the configuration file. New for version 1.1.

Since the Request Validation feature can help prevent a variety of script injection attacks, it is recommended that you leave this set to true (the default), unless you are certain that your application properly filters and validates all user input.

<customErrors>

The <customErrors> element allows you to customize how your ASP.NET application responds to error conditions. In this element, you can specify whether the raw error messages generated by ASP.NET should be visible to local or remote clients, or whether to redirect the client to either a custom error page or a page specific to the error that occurred (based on the status code of the error). The <customErrors> element supports one child element, <error>, and has the following syntax:

<customError    defaultRedirect="url    mode="on|off|RemoteOnly">    <error        redirect="url       statusCode="status code"/> </customErrors>

Table B-6 describes the <customErrors> element attributes in more detail.

Table B-6: <customErrors> Element Attributes

Element

Attribute

Description

Options

<customErrors>

 

Determines how ASP.NET errors are handled.

 
 

defaultRedirect

Determines the page to which a user is redirected if an error occurs.

The page to which this URL points can be either an .aspx page, in which you attempt to clean up or recover from the error, or a static HTML page, to inform the user of the error and offer guidance.

 

mode

Determines whether raw ASP.NET error messages are sent to the client.

On: Custom errors are enabled. When an error occurs, the client, whether on the local Web server or remote, will be redirected to the custom error page specified by the defaultRedirect attribute (or to a page specified in an <error> child element).

Off: Custom errors are not enabled. When an error occurs, the client will see the error page generated by ASP.NET. Note that depending on how your application is designed, this can expose proprietary information to clients, so you should rarely use this setting.

RemoteOnly: Custom errors are enabled for remote clients. When an error occurs, remote clients will be redirected to a custom error page, while clients on the local Web server will see the error page generated by ASP.NET. This allows developers to track down errors without allowing clients to see raw error pages.

RemoteOnly is the default.

<error>

 

Determines redirect page for a specific error type, based on the HTTP status code for the error.

Adding <error> tags provides finer-grained control over error handling.

 

redirect

Determines the page to which a user is redirected if an error of the type specified in the statusCode attribute occurs.

 
 

statusCode

Determines the HTTP status code (404–Not Found, and so on) that is handled by this <error> child element.

 

<authentication>

The <authentication> element controls configuration of authentication in ASP.NET. You can choose from one of three authentication methods, and you can set appropriate parameters for the method you choose or you can choose no authentication at all. The <authentication> element supports two child elements: <forms> and <passport>. Additionally, the <forms> element supports one child element, <credentials>, which in turn supports one child element, <user>, as shown in the following example:

<authentication     mode="Windows|Forms|Passport|None">    <form       loginUrl="url       name="name       path="/       protection="All|None|Encryption|Validation requireSSL="true|false slidingExpiration="true|false       timeout="number">       <credentials           passwordFormat="Clear|MD5|SHA1">          <use             name="username"              password="password" />       </credentials>    </forms>    <passpor       redirectUrl="url" /> </authentication>

Table B-7 describes the <authentication> element attributes in more detail.

Table B-7: <authentication> Element Attributes

Element

Attribute

Description

Options

<authentication>

 

Determines how ASP.NET authentication is handled.

 
 

mode

Determines the authentication mode to be used. Authentication is discussed in greater detail in Chapter 6.

Windows: ASP.NET will use Windows authentication by default. Works with IIS’s Basic, Digest, NTLM, or Certificate- based authentication methods.

Forms: ASP.NET will use Forms-based authentication, which provides basic support for “roll-your- own” security scenarios, by default.

Passport: ASP.NET will use Microsoft Passport as the default authentication method.

None: No authentication will be performed by ASP.NET.

<forms>

 

Determines the parameters associated with Forms-based authentication.

 
 

loginUrl

Determines the URL to which a user is redirected if he doesn’t have a valid authentication cookie.

This can be any page in your ASP.NET application that allows a user to log in. The default is login.aspx.

 

name

Determines the name of the cookie used for authenticating a user.

Default is .ASPXAUTH.

 

path

Determines the path to set for the authentication cookie.

Default is /. This is to prevent the possibility of missing cookies because of browser case sensitivity with respect to URL paths and cookies.

 

protection

Determines the methods used to protect the authentication cookie from being compromised. Your choice of which method to use, or whether to use any at all, will depend on your security needs vs. the amount of resources you’re willing to devote to security. Generally, the higher the level of security, the greater the performance overhead.

All (default): Both encryption and data validation will be used to protect the cookie. This is the recommended setting.

Encryption: The authentication cookie will be encrypted, but will not be validated. This leaves the cookie vulnerable to certain types of attacks.

Validation: The authentication cookie’s contents will be validated to ensure that they haven’t been changed between the browser and the server.

None: Neither encryption nor validation is used. Not recommended.

 

requireSSL

Determines whether the authentication cookie will be sent with requests that do not use SSL. New for version 1.1.

If set to true, the forms authentication cookie will not be sent over a non-SSL connection. The default is false.

 

slidingExpiration

Determines whether each request in a given session resets the expiration of the authentication cookie. New for version 1.1.

The default is false.

 

Timeout

Determines the amount of time, in minutes, until the authentication cookie expires.

Default is 30. You should set this value to the minimum amount that will allow users to use your site effectively. If you use persistent cookies with forms authentication, they will not time out.

<credentials>

 

In conjunction with the <user> child element, allows you to define credentials to authenticate against within a configuration file.

If you use this method to store credentials in a Web.config file within your application scope, and your application is compromised, it might be possible for intruders to gain the passwords stored there, even if they’re encrypted. Remember that no encryption method is perfect.

 

PasswordFormat

Determines the encryption used for stored passwords.

Clear: No encryption is used. Not recommended.

MD5: Passwords are encrypted using the MD5 hash algorithm.

SHA1: Passwords are encrypted using the SHA1 hash algorithm.

<user>

 

Determines the username and password of a single user. Use one <user> child element for each set of credentials you want to store in the configuration file.

 
 

name

Specifies the username of the user to authenticate against.

 
 

password

Specifies the password of the user to authenticate against.

This value should be an encrypted version of the password created with the hash algorithm specified by the passwordFormat attribute of the <credentials> tag.

<passport>

 

Child element used to set the parameters for Microsoft Passport- based authentication.

 
 

redirectUrl

Determines the URL where the user will be redirected if he or she has not been authenticated.

 

<identity>

By default, requests made by ASP.NET applications for resources requiring authentication, such as files secured by NT Access Controls Lists (ACLs), are made in the context of either the IUSR_MACHINENAME or IWAM_MACHINENAME accounts, depending on whether the application is configured to run in-process or out-of-process relative to IIS. The <identity> element allows ASP.NET applications to use impersonation, in which an application takes on the security context of the user making a request, or of a specified account. The <identity> element has the following syntax:

<identit    impersonate="true|false    userName="username    password="password" />

Table B-8 describes the <identity> element attributes in more detail.

Table B-8: <identity> Element Attributes

Attribute

Description

Options

impersonate

Determines whether ASP.NET applications will use impersonation.

true: Enables impersonation of security accounts by ASP.NET applications.

false: Disables impersonation of security accounts by ASP.NET applications.

userName

Specifies a user account that the affected ASP.NET application will impersonate.

Any valid user account. You should ensure that the account that you choose has access to only the desired resources. For example, as a rule, it is not a good idea to have an ASP.NET application impersonate an account in the Administrators group. If omitted, ASP.NET will impersonate the account of the logged on user (as provided by IIS).

password

Specifies the password for the account named in the userName attribute.

 

<authorization>

The <authorization> element lets you specify which accounts or roles (groups) are authorized to access resources within the scope of the configuration file. The <authorization> element supports two child elements, <allow> and <deny>, both of which have three attributes. The <authorization> element has the following syntax:

<authorization>    <allow        users="userlist       roles="rolelist       verbs="verblist" />    <deny        users="userlist       roles="rolelist       verbs="verblist" /> </authorization>

Table B-9 describes the <authorization> element attributes in more detail.

Table B-9: <authorization> Element Attributes

Element

Attribute

Description

Options

<authorization>

 

Determines authorization settings for an application or directory. Contains one or more <allow> or <deny> child elements.

 

<allow>

 

Allows access to resources based on user account, group membership, or HTTP request method.

 
 

users

List of users (NT user accounts) granted access to the resource(s).

This attribute takes a comma-delimited list. Access to anonymous users is allowed using the ? wildcard, and access to everyone is allowed using the * wildcard.

 

roles

List of roles (NT groups) granted access to the resource(s).

This attribute takes a comma-delimited list.

 

verbs

List of HTTP verbs (GET, POST, etc.) granted access to the resource(s).

This attribute takes a comma-delimited list. Verbs available are GET, HEAD, POST, and DEBUG.

<deny>

 

Denies access to resources based on user account, group membership, or HTTP request method.

 
 

users

List of users (NT user accounts) denied access to the resource(s).

This attribute takes a comma-delimited list. Access to anonymous users is denied using the ? wildcard, and access to everyone is denied using the * wildcard.

 

roles

List of roles (NT groups) denied access to the resource(s).

This attribute takes a comma-delimited list.

 

verbs

List of HTTP verbs (GET, POST, etc.) denied access to the resource(s).

This attribute takes a comma-delimited list. Verbs available are GET, HEAD, POST, and DEBUG.

<machineKey>

The <machineKey> element allows you to specify the keys used for encryption and decryption of cookie data in Forms-based authentication. This element can be used at the machine level through Machine.config, as well as at the site and application levels through Web.config files, but it cannot be used at the subdirectory level. The <machineKey> element has the following syntax:

<machineKe    decryptionKey="AutoGenerate|value[,IsolateApps]     validation="AutoGenerate|value[,IsolateApps]     validationKey="3DES|MD5|SHA1" />

Table B-10 escribes the <machineKey> element attributes in more detail.

Table B-10: <machineKey> Element Attributes

Attribute

Description

Options

decryptionKey

Determines whether the decryption key to be used is autogenerated or specifies a key value to be used.

AutoGenerate (default): ASP.NET will generate a random key for decryption. New for version 1.1. In version 1.1, the IsolateApps modifier is added, which ensures that each application will have a unique key generated, based on the application ID.

value: This represents a string of characters (minimum 40, maximum 128) to be used as a decryption key. Note that 128 characters is the recommended length. For shorter-length keys, you should ensure that the key is randomly generated. This setting is necessary in Web farms to ensure that all servers are using the same keys, providing transparent user access while still taking advantage of encryption.

validation

Determines the type of encryption to be used by ASP.NET.

3DES: Data is encrypted using Triple-DES (3DES) encryption.

MD5: Data is encrypted using the MD5 hash algorithm.

SHA1 (default): Data is encrypted using the SHA1 hash algorithm.

validationKey

Determines whether the validation key to be used is autogenerated or specifies a key value to be used.

AutoGenerate (default): ASP.NET will generate a random key for validation. New for version 1.1. In version 1.1, the IsolateApps modifier is added, which ensures that each application will have a unique key generated, based on the application ID.

value: This represents a string of characters (minimum 40, maximum 128) to be used as a validation key. Note that 128 characters is the recommended length. For shorter-length keys, it is recommended to ensure that the key is randomly generated. This setting is necessary in Web farms to ensure that all servers are using the same keys, providing transparent user access while still taking advantage of encryption.

<securityPolicy>

The <securityPolicy> element allows you to specify one of several named security policies, or a custom policy, for code-access security based on the name and policyFile attributes of its <trustLevel> child element. The <trust> element, described in the next section, specifies which of the named policies is implemented for a given site or application. The <securityPolicy> element supports one child element, <trustLevel>, with two attributes, and has the following syntax:

<securityPolicy>    <trustLevel        name="value       policyFile="value" /> </securityPolicy>

Table B-11 describes the <securityPolicy> element attributes in more detail.

Table B-11: <securityPolicy> Element Attributes

Element

Attribute

Description

Options

<securityPolicy>

 

Determines the available named security policies for sites and/or applications.

 

<trustLevel>

 

Each <trustLevel> child element sets up an available named policy based on its name and policyFile attributes.

 
 

name

Specifies the name to use for the policy.

The name specified by this attribute is also used by the <trust> element to implement the named policy.

 

policyFile

Specifies the file name of the file that contains the code-access security settings to be used under the named policy.

The file name specified by this attribute is relative to the location of the Machine.config file.

<trust>

The <trust> element is used to implement one of the named security policies created by the <securityPolicy> element. This element can be used at the machine level through Machine.config, as well as at the site and application levels through Web.config files. However, it can’t be used at the subdirectory level. The <trust> element has the following syntax:

<trus    level="Full|High|Low|None|custom name    originUrl="url" />

Table B-12 describes the <trust> element attributes in more detail.

Table B-12: <trust> Element Attributes

Attribute

Description

Options

level

Determines the applicable trust level, based on a named security policy.

Full: Code-access security is based on the Full named policy set up by default in Machine.config.

High: Code-access security is based on the High named policy set up by default in Machine.config.

Low: Code-access security is based on the Low named policy set up by default in Machine.config. None: Code-access security is based on the

None named policy set up by default in Machine.config.

custom name: Code-access security is based on a custom named policy set up in either Machine.config or a Web.config file at the site or application level.

originUrl

Specifies the origin URL for an application.

Optional: This attribute can be used to support permissions for Socket and WebRequest requests that allow connectivity to the origin host.

<sessionState>

The <sessionState> element is used to configure the Session State HttpModule, including the type of state management to be used (in-process, out-of-process, or Microsoft SQL Server), the default session timeout, and whether to use cookies for associating requests with user sessions. The <sessionState> element has the following syntax:

<sessionStat    stateConnectionString="IP address:port number    cookieless="true|false    mode="Off|Inproc|StateServer|SQLServer    sqlConnectionString="sql connection string    timeout="number of minutes" />

Table B-13 describes the <sessionState> element attributes in more detail.

Table B-13: <sessionState> Element Attributes

Attribute

Description

Options

stateConnectionString

Specifies the server and port number to connect to when the mode attribute is set to StateServer.

This attribute is required when the mode is set to StateServer. The default is tcpip=127.0.0.1:42424.

cookieless

Determines whether user sessions are mapped to requests by using cookies or by adding a user’s SessionID to the URL string for requests by that user.

true: SessionIDs are added to request URLs, and cookies are not used.

false: Cookies are used to map user requests to sessions.

The default is false.

mode

Determines the type of session state management that applications will use.

Off: Session state is disabled.

Inproc: Session state is stored in- process with the application, as in classic ASP.

StateServer: Session state is managed by an out-of-process NT Service, allowing multiple servers in a Web farm to share a single state store.

SQLServer: Session state is managed by SQL Server database, allowing multiple servers in a Web farm to share a single state store. This mode has the added advantage of providing persistent state storage in the event of a Web server crash.

The default is InProc.

sqlConnectionString

Specifies the connection string used to connect to a SQL Server database where state information is stored.

This attribute is required when the mode is set to SQLServer.

timeout

Specifies the amount of time, in minutes, before the user’s session expires.

Like the classic ASP Session.Timeout property, this attribute uses sliding expiration. Each request by the user resets the amount of time before his session expires.

The default is 20 minutes.

<httpHandlers>

The <httpHandlers> element allows you to assign requests of certain types or for certain resources to specific handler classes. For example, in Machine.config, the handling of ASP.NET pages (requests with the .aspx extension) is assigned to the System.Web.UI.PageHandlerFactory class. The <httpHandlers> element can also be used to prevent HTTP access to certain types of files by assigning them to the System.Web.HttpForbiddenHandler class, as is done by default for configuration files (*.config) and source files (*.vb and *.cs, for example).

The <httpHandlers> element supports three child elements, <add>, <remove>, and <clear>, and has the following syntax:

<httpHandlers>    <add        path="path       type="type, assembly name       validate="true|false       verb="verblist" />    <remove        path="path       verb="verblist" />    <clear /> </httpHandlers>

Table B-14 describes the <httpHandlers> element attributes in more detail.

Table B-14: <httpHandlers> Element Attribute

Element

Attribute

Description

Options

<httpHandlers>

 

Determines the assignment of requests to httpHandlers for ASP.NET applications.

 

<add>

 

Each <add> child element maps a specific type of request to a given httpHandler.

 
 

path

Specifies the URL path this httpHandler will handle.

This can be a single URL, as in the case of the default mapping of the trace.axd URL to System.Web.Handlers. TraceHandler, or can use a wildcard to specify that the httpHandler should handle all requests of a given type (such as *.aspx or *.asmx).

 

validate

Determines whether the ASP.NET runtime should attempt to load the class before the actual request is received, in order to ensure that it exists.

true: The ASP.NET runtime will attempt to load the class when the associated application is started up.

false: The ASP.NET runtime will load the class only when the actual request is received. This can improve start-up time, but will delay the appearance of the error if the class does not exist.

This attribute is optional.

 

type

Specifies the .NET class that should handle the requests specified by the path and verb attributes.

This is a string containing a comma-separated list with the class name and other information, such as version and public key, that enables ASP.NET to locate the class in either the application’s bin directory or the global assembly cache.

 

verb

Specifies the HTTP verbs for which the httpHandler will handle requests.

Comma-separated list of verbs (GET, POST) or a wildcard (such as *, which specifies that all verbs should be handled).

<remove>

 

Removes an httpHandler mapping, based on the path and verb attributes specified.

 
 

path

Specifies path of the httpHandler to be removed.

This attribute must exactly match the path attribute of an httpHandler added by a previous <add> child element.

 

verb

Specifies verb(s) of the httpHandler to be removed.

This attribute must exactly match the verb attribute of an httpHandler added by a previous <add> child element.

<clear>

 

Removes all httpHandler mappings, either those configured by the current file or those inherited from parent configuration files.

 

<httpModules>

HttpModules are classes that implement the IHttpModule interface and are used to provide functionality to ASP.NET applications. For example, by default, the Machine.config file adds HttpModules for output caching, session-state management, authentication, and authorization. The <httpModules> element allows you to add HttpModules to ASP.NET applications.

The <httpModules> element supports three child elements, <add>, <remove>, and <clear>, and has the following syntax:

<httpModules>    <add        name="name       type="classname.assemblyname" />    <remove        name="name    <clear /> </httpModules>

Table B-15 describes the <httpModules> element attributes in more detail.

Table B-15: <httpModules> Element Attributes

Element

Attribute

Description

Options

<httpModules>

 

Determines the httpModules available for ASP.NET applications within the scope of the configuration file.

 

<add>

 

Each <add> child element adds a specified httpModule.

 
 

name

Specifies a name that can be used by ASP.NET applications to refer to the module identified by the type attribute.

 
 

type

Specifies the .NET class that implements the desired httpModule.

This is a string containing a comma-separated list with the class name and other information, such as version and public key, that enables ASP.NET to locate the class in either the application’s bin directory or the global assembly cache.

<remove>

 

Removes an httpModule, based on the name and type attributes specified.

 
 

name

Specifies the name of the httpModule to remove.

This attribute must exactly match the name attribute of an httpModule added by a previous <add> child element.

<clear>

 

Removes all httpModules, either those configured by the current file or those inherited from parent configuration files.

 

<processModel>

The <processModel> element configures settings related to how ASP.NET applications run, and it provides access to a number of features geared towards improving the availability of applications. These include automatic restart (which can be configured based on elapsed time or number of requests), allowed memory size, and Web garden, in which applications can be associated with specific processors in a multiprocessor machine. Note that when ASP.NET is running under IIS 6.0 in native mode, the settings in the <processModel> element are ignored in favor of the settings configured by the IIS administrative UI.

The <processModel> element has the following syntax:

<processMode    clientConnectedCheck="time in hh:mm:ss format    comAuthenticationLevel="Default|None|Connect|Call|Pkt       PktIntegrity|PktPrivacy    comImpersonationLevel="Default|Anonymous|Identify|Impersonate       Delegate    cpuMask="number    enable="true|false    idleTimeout="time    logLevel="All|None|Errors    maxIoThreads="number    maxWorkerThreads="number    memoryLimit="percent    pingFrequency="hh:mm:ss    pingTimeout="hh:mm:ss    requestLimit="number    requestQueueLimit="Infinite|number    responseDeadlockInterval="Infinite|hh:mm:ss    responseRestartDeadlockInterval="Infinite|hh:mm:ss    restartQueueLimit="Infinite|number    serverErrorMessageFile="filename    shutdownTimeout="time    timeout="time    webGarden="true|false    username="user name    password="password" />

Table B-16 describes the <processModel> element attributes in more detail.

Table B-16: <processModel> Element Attributes

Attribute

Description

Options

clientConnectedCheck

Determines the frequency with which ASP.NET checks if the client is still connected while a request is queued.

This attribute takes a time value in the format hh:mm:ss. The default is 0:00:05. This attribute can be useful for preventing processor resources from being wasted on queued requests for which the client has disconnected.

comAuthenticationLevel

Specifies the DCOM authentication level.

Default: DCOM will determine authentication level based on its normal security negotiation algorithm.

None: No authentication.

ConnectCall: DCOM authenticates the credentials of the client with each remote procedure call.

Pkt: DCOM authenticates that all received data is coming from the expected client.

PktIntegrity: Same as Pkt, but also verifies that data has not been modified in transport.

PktPrivacy: Same as PktIntegrity, but adds encryption.

The default value is Connect.

comImpersonationLevel

Specifies the COM authentication level.

Anonymous: Client is anonymous. Not supported in the current release.

Identify: Server can obtain the client’s identity and impersonate the client for ACL checking, but cannot access system objects using the client’s identity.

Impersonate: Allows the server to impersonate the client and access system resources using the client’s security context, but this context can only be passed across a single machine boundary.

Delegate: Same as Impersonate, but the impersonation token can be passed across multiple machine boundaries.

cpuMask

Specifies the processors (on a multiprocessor server) that are allowed to run the ASP.NET application. This attribute works with the webGarden attribute. When webGarden is set to true, cpuMask determines the eligible processors for the application.

The default is 0xffffffff.

Enable

Enables or disables the processModel settings for ASP.NET applications.

true: processModel settings are enabled.

false: processModel settings are disabled.

idleTimeout

Determines the amount of time, in minutes, before ASP.NET shuts down an inactive worker process.

Default is Infinite, in which case the process will not be shut down when idle.

logLevel

Specifies the types of process events that will be written to the event log.

All: All process events are logged.

Errors: Only unexpected shutdowns, memory limit shutdowns, and deadlock shutdowns are logged.

None: No events are logged. The default is Errors.

maxIoThreads

Specifies the maximum number of IO threads per CPU.

Any value from 5 to 100 is valid. The default is 25.

maxWorkerThreads

Specifies the maximum number of worker threads per CPU.

Any value from 5 to 100 is valid. The default is 25.

memoryLimit

Determines the maximum allowable memory size for an ASP.NET application.

This attribute takes a number representing the percentage of the total system memory that the application’s worker processes can consume. If this value is exceeded, ASP.NET will launch a new process, reassign existing requests to it, and then shut down the old process.

pingFrequency

Determines how often the ASP.NET ISAPI extension pings the worker process to see if it is running. If the process does not respond in the interval specified by pingTimeout, the worker process will be restarted.

The format of this value is hh:mm:ss. The default is 30 seconds.

pingTimeout

Determines the time interval after which an unresponsive worker process is restarted.

The format of this value is hh:mm:ss. The default is 5 seconds.

responseDeadlock-

Determines the time interval Interval after which the process will be restarted when there are queued requests, and no responses have been generated for this interval.

The format of this value is hh:mm:ss. The default is 3 minutes.

responseRestartDeadlockInterval

Determines the time interval that must elapse before a second restart to cure a deadlock (as specified by responseDeadlockInterval) can occur.

The format of this value is hh:mm:ss. The default is 9 minutes.

requestLimit

Determines the number of requests an application can fulfill before ASP.NET launches a new worker process and shuts down the old one.

Default is Infinite, in which case the process will not be shut down, regardless of the number of requests. This setting can be used to restart the application after a given number of requests, and it can help deal with problems such as memory leaks in legacy COM components used by an application or blocked processes.

requestQueueLimit

Determines the number of requests that can be queued before ASP.NET returns the “503–Server Too Busy” status error.

Default is 5,000.

restartQueueLimit

Specifies the number of requests that are kept in the queue while the process is restarting.

Default is 10.

serverErrorMessageFile

Provides custom message for Server Unavailable error condition.

Path and file name to the desired file. If omitted, the default Server Unavailable message is used.

shutdownTimeout

Determines the amount of time that an ASP.NET worker process is given to shut itself down.

This attribute takes a time value in the format hh:mm:ss. If the time specified by this attribute is exceeded, ASP.NET will force the shutdown of the worker process. The default is 0:00:05.

timeout

Determines the amount of time, in minutes, before ASP.NET launches a new worker process and shuts down the old one.

This setting can be used to restart the application after a given period of time, and it can help deal with problems such as memory leaks in legacy COM components used by an application or blocked processes.

webGarden

Determines whether Web gardening is enabled.

true: Web gardening is enabled.

false: Web gardening is disabled.

password

Specifies a password for the user account specified in the username attribute.

Default is autogenerate, which can be used with either the SYSTEM or MACHINE special accounts.

username

Determines the identity under which ASP.NET worker processes are run.

Default is MACHINE, which runs worker processes as an unprivileged ASP.NET service account called ASPNET. This provides a higher level of security than the beta releases of ASP.NET (which used the more privileged SYSTEM account), but can make certain techniques, such as using trusted connections with SQL Server, more difficult because the ASPNET account is not trusted. You can also use another special account, SYSTEM, to run the ASP.NET worker processes, but for security reasons, this is not recommended.

<webControls>

The <webControls> element allows you to specify the location of script files used by client-side implementations of ASP.NET Server Controls, such as the validation controls. The <webControls> element has the following syntax:

<webControl    clientScriptsLocation="path" />

Table B-17 describes the <webControls> element attribute in more detail.

Table B-17: <webControls> Element Attribute

Attribute

Description

Options

clientScriptsLocation

Determines where ASP.NET will look for client-side scripts for use with ASP.NET Server Controls.

This attribute is relative to the root Web of the Web server.

<clientTarget>

The <clientTarget> element allows you to set up aliases to be used by the ClientTarget property of the Page class. The <clientTarget> element supports one child element, <add>, and has the following syntax:

<clientTarget>    <add        alias="aliasname       userAgent="true|false" />    <clear />    <remov       alias="aliasname" /> </clientTarget>

Table B-18 describes the <clientTarget> element attributes in more detail.

Table B-18: <clientTarget> Element Attributes

Element

Attribute

Description

<clientTarget>

 

Creates aliases for specific browser user agents that can then be specified from the Page.ClientTarget property.

<add>

 

Maps a specific user agent string to an alias name.

 

alias

Specifies the name of the alias.

 

userAgent

Specifies the browser user agent that the alias looks for.

<clear>

 

Removes all aliases added (or inherited) by the current Web.config file.

<remove>

alias

Removes the specified alias added (or inherited) by the current Web.config file.

<browserCaps>

The <browserCaps> element contains settings used by ASP.NET to provide the functionality of the browser capabilities component (accessible via the Request.Browser property). It provides filtering processes that allow the browser capabilities component to populate its properties with information on the capabilities of a user’s browser, based on the information contained in the user agent string passed by the browser. The <browserCaps> element supports three child elements, <result>, <use>, and <filter>. The <filter> element supports one child element, <case>. The <browserCaps> element has the following syntax:

<browserCaps>    <result type="System.Web.HttpBrowserCapabilities" />    <use var="HTTP_USER_AGENT" />       list of default property value    <filter>       <cas          match="string1|string2|stringN">          property=valu       </case>    </filter> </browserCaps>

Table B-19 describes the <browserCaps> element attributes in more detail.

Table B-19: <browserCaps> Element Attributes

Element

Attribute

Description

Options

<browserCaps>

 

Allows filtering and mapping of strings within the browser user agent string to properties of the browser capabilities component.

 

<result>

 

Specifies the result type of the configuration element.

 
 

type

.NET class used as the result type.

The default is System.Web.HttpBrowserCapabilities.

<use>

 

Determines the server variables used while evaluating <filter> and <case> elements.

 
 

var

Server variable used in evaluating <filter> and <case> elements.

The default is HTTP_USER_AGENT.

<filter>

 

The <filter> contains one or more <case> child elements to search for specific strings within the user agent string.

 

<case>

 

Each <case> child element searches for a specific string or strings within the user agent string.

 
 

match

Specifies the string or strings (separated by | characters) to look for in the code.

If a specified string is found, the property assignment enclosed by the <case></case> tags is executed.


Team LiB
Previous Section Next Section


JavaScript EditorJavascript debugger     Javascript examples