ASP Classic provided a limited set of functionality for providing common Web application “level parameters. ASP.NET takes this farther by leaps and bounds by providing an XML-based Configuration Settings file, commonly known and represented as web.config. If you think of common properties, such as database connection properties, for example, that can be stored in a configurable yet common repository, web.config is what you should be looking at. Apart from being merely a placeholder for properties, web.config is also used to define authentication mechanisms that should be used by an application. Depending on its location, the web.config file can be used to customize the settings of a Web site (\inetpub\wwwroot), a particular application (\inetpub\wwwroot\app), or even the subdirectory of an application (\inetpub\ wwwroot \app\subdir). The web.config file has separate sections focused on providing details on application settings, authentication mechanisms, authorization parameters, browser capabilities, compilation defaults, error handling, globalization, advanced HTTP handlers and modules, security policy, session management, trace parameters, and so on. Now take a look at a sample web.config file that should provide some more insight: <?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <compilation defaultLanguage="c#" debug="true" /> <customErrors mode="RemoteOnly" /> <authentication mode="Windows" /> <authorization> <allow users="*" /> </authorization> <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" /> <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" /> <globalization requestEncoding="utf-8" responseEncoding="utf-8" /> </system.web> </configuration> Configuring ASP.NET for Forms-based AuthenticationA key requirement to a number of Web applications is security. ASP.NET provides a configurable (not just codeable!) mechanism for specifying (not coding) authentication parameters. Take a look at a web.config file that specifies parameters for using forms-based authentication. Figure 8.9 shows an example of forms validation. <?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <authentication mode="Forms"> <forms name="MyAppCookie" path="/" loginUrl="Login.aspx" protection="All" timeout="200"> <credentials passwordFormat="Clear"> <user name="hks" password="hks"/> </credentials> </forms> </authentication> <authorization> <deny users="?"/> </authorization> </system.web> </configuration> Figure 8.9. Forms validation for ASP.NET applications.
Here is the Forms page itself: <%@Page Language="C#" %> <%@Import Namespace="System.Web.Security" %> <script language="C#" runat="server"> void loginButton_Click(Object sender, EventArgs args) { if (FormsAuthentication.Authenticate(user.Text, password.Text)) { FormsAuthentication.RedirectFromLoginPage(user.Text,false); } else { message.Text = "Un-authorized Access!"; } } </script> <html> <head></head> <body> <form runat="server"> <b>User:</b><br/> <asp:TextBox id="user" runat="server"/><br/> <b>Password:</b><br/> <asp:TextBox id="password" textmode="password" runat="server"/><br/> <asp:Button id="loginButton" OnClick="loginButton_Click" Text="Login" runat="server"/><br/> <asp:Label id="message" ForeColor="Red" runat="server"/> </form> </body> </html> Beyond the preceding simplified example, ASP.NET goes beyond authenticating simple user/password name pairs to custom user profile databases, Active Directory, and so on.
Specifying Application-level PropertiesAs previously mentioned, the web.config file can be used to store application-level parameters, including application runtime specific strings, connection strings, and messages. This prevents proliferation of such strings inside several ASP.NET files. For instance, the following addition of the <appSettings> section makes the ApplicationName configuration property available to all pages in the application. <?xml version="1.0" encoding="utf-8" ?> <configuration> ... <appSettings> <add key="ApplicationName" value="ABC Order Entry Application"/> </appSettings> </configuration> Once specified, the configuration application setting can be accessed using the ConfigurationSettings class in the .NET Framework class library. <%@ Page Language="C#" %> <script runat="server"> void Page_Load(Object sender, EventArgs e) { AppName.Text = ConfigurationSettings.AppSettings["ApplicationName"]; } </script> <html> <head> </head> <body> <form runat="server"> <asp:Label id="AppName" runat="server"/> </form> </body> </html> |