Use app.config files with No-Touch Deployment
How do I use app.config files with No-Touch
Deployment?
All Windows Forms application can store there
settings in a configuration file which has to be named
like the executable followed by the extension ".config"
(e.g. MyApp.exe.config, if
the executable's name is MyApp.exe).
When running an application from a webserver the
configuration file is also a URL and gets automatically
downloaded with the application.
Many developers complain that this does not seem to
work. Here's the solution. The IIS forwards requests to
.config files to the ASP.NET runtime which denied the
access by default, because .config-files in many cases
include sensitive information. You can prove the
behavior by entering the URL to the config file in
Internet Explorer. It should show up a page telling you
that the access is denied. So what can you do?
Solution 1: You configure your web site in IIS
to not forward requests to ".config"-files to ASP.NET.
IIS would then return them directly as static text if
they are requested. Important:
When you turn off application configuration mapping, you
open a security hole. And that is not the
only problem with this solution, because it requires
that you have control over the IIS configuration. If you
don't, for example if you use an external web hoster,
you have a problem. And here comes:
Solution 2: You tell ASP.NET to serve ".config"-Files
if they are requested. Check your app.config that it
does not contain any sensitive stuff. Please consider
that this also allows access to the
web.config files
used in ASP.NET web applications and web services. Now
to make ASP.NET do what you want it to do you need a
web.config file in the root of your application that
should look like this:
<?xml
version="1.0"
encoding="utf-8"
?>
<configuration>
<system.web>
<httpHandlers>
<remove
verb="*"
path="*.config"
/>
<add
verb="*"
path="web.config"
type="System.Web.HttpForbiddenHandler"
/>
</httpHandlers>
</system.web>
</configuration>
Note: In both scenarios anonymous access has to be
enabled in IIS!
You can check if your settings work by requesting the
configuration file in your browser.
|