Edit and Encrypt Web.Config sections using C# 2.0

• Download WebConfigEditing.zip - 3.8 KB

Introduction

ASP.NET 1.x allowed configurations in Web.Config file to be read from .NET application. But there were no options to manipulate Web.Config contents in programatically. To achieve this we had to consider Web.Config file as a normal file or an xml file. .NET 2.0 fills this gap and also provides many other useful operations to be carried out on Web.Config file; like editing and encrypting sections of Web.Config file. This articles illustrates these functionalities via a sample ASP.NET application.

Using the code

The classes and methods to take control of the Web.Config file span across 2 namespaces.

1. System.Configuration
2. System.Web.Configuration

Each section in the Web.Config file has a corresponding class in either of the namespace. These classes allow modification of corresponding sections. The classes for sections within the "system.web" section are found in System.Web.Configuration. Classes for other sections that are not specific to Web.Config are found in System.Configuration.

Steps to modify a section in Web.Config

1. Open Web.Config for editing using WebConfigurationManager class.
2. Using respective Configuration class, bring about the necessary changes.
3. Save changes to the physical file using Configuration class.

private void UpdateConfig(string strKey, string strValue)
{
    Configuration objConfig = WebConfigurationManager.OpenWebConfiguration("~");
    AppSettingsSection objAppsettings = (AppSettingsSection)objConfig.GetSection("appSettings");
    if (objAppsettings != null)
    {
        objAppsettings.Settings[strKey].Value = strValue;
        objConfig.Save();
    }
}

In the above piece of code, OpenWebConfiguration() method of WebConfigurationManager class opens Web.Config file in the root directory and returns it as a Configuration object. GetSection() method of Configuration class accepts path to a specific section as argument. The path is the relative path from the root node "configuration". You can refer to deeper nodes(sections in our context) by their names separated by '/'. For example, to get access to the "authentication" section, provide "system.web/authentication" as the parameter to GetSection() method. It returns a generic ConfigurationSecton object, which can be typecasted to proper configuration section class. In our example we get hold of the "appSettings" section with the help of AppSettingsSection class. AppSettingsSection class instance has a Settings collection property which contains application setting from the configuration section as key-value pairs. The Settings property can be indexed using key to get the corresponding value. You can also set the value property and call the Save() method of the Configuration object to write configurations in the Configuration instance to config file.

To delete an entry in the Web.config file: The Remove() method of Settings collection deletes an entry from the Configuration instance. Remove() method accepts key of the entry to be deleted.

Note: Please do not forget to call the Save() method of the Configuration instance to get the changes reflected in the physical file.

objAppsettings.Settings.Remove("Location");

To iterate through all the key-value pairs in a configuration section, access the string array of keys via AllKeys property of Settings collection.

foreach (string strKey in objAppsettings.Settings.AllKeys)
{
    DataRow dr = dt.NewRow();
    dr["Key"] = strKey;
    dr["Value"] = objConfig.AppSettings.Settings[strKey].Value;
    dt.Rows.Add(dr);
}

Encrypting sections in Web.Config file

Now comes the security issues. At times there comes the necessity for protecting sections of config file. In .NET 2.0 there are options available to encrypt sections of Web.config file programatically. The following method encrypts the "appSettings" section in Web.config file.

private void EncryptAppSettings()  
{
    Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    AppSettingsSection objAppsettings = (AppSettingsSection)objConfig.GetSection("appSettings");
    if (!objAppsettings.SectionInformation.IsProtected)
    {
        objAppsettings.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
        objAppsettings.SectionInformation.ForceSave = true;
        objConfig.Save(ConfigurationSaveMode.Modified);
    }
}

The code above opens Web.Config file for modification. It then retrieves the "appSettings" section. The ProtectSection() method of SectionInformation class marks the configuration section for protection. It accepts the name of the protection provider to be used for the encryption. The ForceSave property indicates if the specified configuration section will be saved even if it has not been modified. Finally the Save() of the Configuration object writes the configuration settings to the Web.Config file. The argument to the Save() method indicates the only properties modified need to be written to the physical file.

Below is a listing of the "appSettings" section before encryption:

The encrypted "appSettings" section is listed below:

Decrypting sections of web.config file through code is very identical. The UnprotectSection() method of SectionInformation class removes the encryption from the configuration section.

private void DecryptAppSettings()
{
    Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    AppSettingsSection objAppsettings = (AppSettingsSection)objConfig.GetSection("appSettings");
    if (objAppsettings.SectionInformation.IsProtected)
    {
        objAppsettings.SectionInformation.UnprotectSection();
        objAppsettings.SectionInformation.ForceSave = true;
        objConfig.Save(ConfigurationSaveMode.Modified);
    }
}

This encrytion and decryption functionality can be applied to other sections of web.config file also. It comes in use mostly for "connectionStrings" section where usually the user name and password would be specified. This can done by creating a ConfigurationSection object. An example for "connectionStrings" section is listed below.

ConfigurationSection objConfigSection = objConfig.ConnectionStrings;

ConfigurationSection class represents a section within the configuration file. Configuration class has propertes for each configuration section. This property can be used to get respective ConfigurationSection objects. This is an alternative to the usage of GetSection() method of Configuration class.

You must Sign In to use this message board.

FAQ    Noise Tolerance Very HighHighMediumLowVery Low   Layout Expand Posts & RepliesThread ViewNo JavascriptNo JS + Preview   Per page 102550

Msgs 1 to 9 of 9 (Total in Forum: 9) (Refresh) FirstPrevNext

A unique article Sayed Sajid 2:40 28 Jul '09   Hi Habeeb, Hope you are doing fine. Its a very unique article I came accross. Apart I have a query to be asked. I want to save the password for my application in my configuration file using C# 3.5. Any suggestions or help would be highly appreciated. Many thanks in advance. regards Sajid Electronia pvt ltd. Alkhobar-KSA Sign In·View Thread·PermaLink Encrypt just 1 key Millan_Mosh 9:33 5 Nov '07   Hi. I need to encrypt just 1 key and leave the rest unEncrypted in the appSettings, is this posible? Sign In·View Thread·PermaLink 1.00/5 (1 vote) Profile paul_beckett 23:34 4 May '07   Good article! Is it possible to do this sort of thing with the profile section of web.config? I have a number of properties that I store here and it would be very useful to be able to edit this via a web interface. Thanks, Paul Beckett Sign In·View Thread·PermaLink Security issue Stefan Prodan 1:53 4 May '07   Your web app is not running in IIS, but when you deploy your site on a IIS server you'll notice that your app doesn't have the necessary rights to modify the config file and that is because it will be security risk. http://stefanprodan.wordpress.com Sign In·View Thread·PermaLink Re: Security issue phase64 15:14 17 May '07   Is there a way around this? I just found this out the hard way @_@ I've got some code that will attempt to encrypt the web.config file if itsnt encrypted. However, i keep getting an exception thrown when i try to save "An error occurred executing the configuration section handler for appSettings" Kind of defeats the purpose of encryption if we cant use it on the shared servers @_@ If it bleeds, we can kill it. - Dutch (Arnie) Sign In·View Thread·PermaLink Re: Security issue Mohammed. Habeeb 23:54 17 May '07   I am not sure if you are using the source code attached with this article or your own application. Please note that the attched application is made to use the native filesystem server of 2.0. Trying to configure it with IIS as such might create issues. Your issue can also be related to saving a user scopped setting. Try out the following setting to see if its ok. .Properties.Settings.Default.TestSetting = "test_value_2"; .Properties.Settings.Default.Save(); Sign In·View Thread·PermaLink Re: Security issue phase64 17:19 19 May '07   It turned out that I was unable to use the RSA provider for the encryption for some reason. When I used the other one (i forget whats its called right now .. Datasomething or other) it all worked like a charm! If it bleeds, we can kill it. - Dutch (Arnie) Sign In·View Thread·PermaLink Re: Security issue DummyDUmb 13:41 18 Oct '07   It's the DPAPI: objAppsettings.SectionInformation.ProtectSection("DataProtectionConfigurationProvider"); Regards, DD Sign In·View Thread·PermaLink 2.00/5 (1 vote) Re: Security issue Mohammed. Habeeb 23:40 17 May '07   The sample application code attached has been generated using Visual Studio 2005. Also it has been made to use the File System server thats incorporated with 2.0. So the application will not be working with IIS as such. But you can easily make it work with an application configured to use IIS. The Methods to encrypt and decrypt are totally reusable and try using it with an application configured with IIS. It must work fine. The security issue might be that your application folder wouldn't have write permission. Giving write permission to your application folder must solve your issue. Happy coding.. Sign In·View Thread·PermaLink 2.00/5 (1 vote)

Last Visit: 12:07 8 Nov '09     Last Update: 12:07 8 Nov '09 1