Centralized Configuration Settings

Although the generally recommended approach is to place all configuration settings in a web.config file for each individual Web application, you can also define configuration settings in a parent web.config file that will be applied to resources in subdirectories or subapplications.

You specify settings in parent web.config files—or only in machine.config—through the <location /> element:

<location path="[web path]">
    <[sectionGroup]>
        <[section] />
    </[sectionGroup>
</location>

The <location /> element is most commonly used for security purposes in Web sites with complex directory structures. Rather than creating a web.config file for each directory and specifying the authorization requirements, you can use the <location /> element to store authorization requirements centrally in the application’s root web.config file, as shown in the following code example. This is perhaps the best use of the <location /> element.

<configuration>
    <!-- Other application configuration settings not shown -->
    <location path="Forums/EditPost.aspx">
        <system.web>
            <authorization>
                <deny users="?" />
            </authorization>
        </system.web>
    </location>
</configuration>

In this sample web.config file, a single comment line reflects that more configuration settings have likely been specified but are not shown in the sample. We also find the <location /> element used to deny access to anonymous users. This is accomplished through <deny users=“?” /> applied to path=“Forums/EditPost.aspx”. This is the setting we use on the www.asp.net site to prevent unauthorized users from accessing the edit post functionality of the ASP.NET Forums (www.asp.net/Forums).