Using the Web.config File to Customize Application Settings

Within each folder that contains a .NET web service, you will find a file named Web.config that contains XML-based entries you can use to customize key application settings. Within the Web.config file, you will find entries that you can use to control the application’s authentication and authorization process, debugger operations, and error handling, as well as global and session settings. Each time a web service runs, the server uses the Web.config file’s contents to configure the application. Table 12.5 briefly describes the entries common to the Web.config file.

Listing 12.5 illustrates the contents of a typical Web.config file.

Listing 12.5 Web.config

<?xml version="1.0" encoding="utf-8" ?> <configuration>      <system.web>     <!--  DYNAMIC DEBUG COMPILATION           Set compilation debug="true" to insert debugging symbols           (.pdb information) into the compiled page. Because this           creates a larger file that executes more slowly, you should           set this value to true only when debugging and to false at           all other times. For more information, refer to the           documentation about debugging ASP.NET files.     -->     <compilation defaultLanguage="vb" debug="true" />     <!--  CUSTOM ERROR MESSAGES           Set customErrors mode="On" or "RemoteOnly" to enable custom           error messages, "Off" to disable. Add <error> tags for each           of the errors you want to handle.     -->     <customErrors mode="RemoteOnly" />     <!--  AUTHENTICATION           This section sets the authentication policies of the           application. Possible modes are "Windows",           "Forms", "Passport" and "None"     -->     <authentication mode="Windows" />     <!--  AUTHORIZATION           This section sets the authorization policies of the           application. You can allow or deny access to application           resources by user or role. Wildcards: "*" mean everyone, "?"           means anonymous (unauthenticated) users.     -->     <authorization>         <allow users="*" /> <!-- Allow all users -->             <!--  <allow     users="[comma separated list of users]"                              roles="[comma separated list of roles]"/>                   <deny      users="[comma separated list of users]"                              roles="[comma separated list of roles]"/>             -->     </authorization>     <!--  APPLICATION-LEVEL TRACE LOGGING           Application-level tracing enables trace log output for every           page within an application. Set trace enabled="true" to           enable application trace logging.  If pageOutput="true", the           trace information will be displayed at the bottom of each           page.  Otherwise, you can view the application trace log by           browsing the "trace.axd" page from your web application root.     -->     <trace enabled="false" requestLimit="10" pageOutput="false"    traceMode="SortByTime" localOnly="true" />     <!--  SESSION STATE SETTINGS           By default ASP.NET uses cookies to identify which requests           belong to a particular session. If cookies are not available,           a session can be tracked by adding a session identifier to           the URL. To disable cookies, set sessionState           cookieless="true".     -->     <sessionState             mode="InProc"             stateConnectionString="tcpip=127.0.0.1:42424"             sqlConnectionString="data source=127.0.0.1;user              id=sa;password="             cookieless="false"             timeout="20"     />     <!--  GLOBALIZATION           This section sets the globalization settings.     -->     <globalization requestEncoding="utf-8" responseEncoding="utf-8" />     </system.web> </configuration>

Table 12.5: Entries Common to the Web.config File
Entry	Purpose
<compilation>	Specifies attributes that control compile-time processing, such as the inclusion or omission of debug code
<customErrors>	Specifies error messages that are specific to the web service that the client will receive should the web service encounter the corresponding error
<authentication>	Specifies the web service’s authentication policy: Windows, Forms, Passport, and None
<authorization>	Specifies specific users, groups, or roles the web service should allow or deny
<sessionState>	Specifies values the web service will use to support Session operations, such as the support of cookie operations
<globalization>	Specifies values the web service uses to support worldwide operations, such as text-encoding formats

In Chapter 8, “Authenticating Users within .NET Web Services,” you used entries within the Web.config file to specify a service’s authentication policy. The following entry, for example, specifies that the web service will use forms-based authentication:

<authentication mode="Forms" />

Also in Chapter 8, you used the Web.config file to permit or deny web service access to specific users. The following entry, for example, directs the service to allow three specific users access to the system:

<authorization>    <allow users="Jones, Smith, Williams" /> </authorization>

In Chapter 6, “Making .NET Web Services Available to Others,” you learned that before you release your web services for use by others on the Internet, you should disable debugging within the code by building a release version of the code. You can also use the Web.config file <compilation> entry to disable (or to control) debugging as shown here:

<compilation defaultLanguage="vb" debug="false" />

Finally, in Chapter 5, “Looking at Key Operations,” you learned how to support session data within a web service. Within the Web.config file, you can use the <sessionstate> entry to specify each session’s timeout period:

<sessionState timeout="30" />