ASP.NET Configuration Scenarios
When the server receives a request for a particular Web resource, ASP.NET computes the configuration settings for that resource hierarchically, using all configuration files that are located in the virtual directory path for the requested URL. The most local configuration settings override settings in parent configuration files.
For example, you could have a Web site with the following physical file structure, where the Application Root directory is the application virtual directory.
Normally, the last configuration setting overwrites settings for the same section provided in parent directories. In the case of a collection element, the settings are not overridden; they are added to the collection.
A custom section handler might implement a different inheritance scheme.
Assume that there is a Web.config file in the SubDir1 directory and none in the Application Root or SubDir2 directories. In this case, ASP.NET is using three configuration files to compute the configuration settings for the SubDir1 directory. The highest-level file is the one located in the %systemroot%\Microsoft .NET \Framework\versionNumber\CONFIG directory. This file, which is named Machine.config, is at the machine level. All of the .NET Framework applications that run the specified version of the .NET Framework (versionNumber) inherit settings from this file. The next highest-level file is the root Web.config file, which is in the same location. All ASP.NET applications that run the specified version of the .NET Framework inherit its settings. The third configuration file is the Web.config file, which is located in the SubDir1 directory.
Assume that the Web.config file in the SubDir1 directory contains the anonymousIdentification element with the enabled attribute set to true. The default setting for the enabled attribute is false. This is an internal default and is not specified in any of the root configuration files. Since there is no configuration file in the Application Root or SubDir2 directories that modifies the anonymousIdentification element, anonymous users do not have access to the ASP.NET resources in these directories. However, anonymous users do have access to the ASP.NET resources in the SubDir1 directory.
The ASP.NET configuration system applies only to ASP.NET resources, which are the resources registered to be handled by ASP.NET using Aspnet_isapi.dll. By default, the configuration system does not provide authorization for non-ASP.NET resources. ASP, HTML, TXT, GIF, and JPEG files, for example, are accessible by all users. In the preceding example, if directory browsing is enabled and no other restrictions are in place, all users can view non-ASP.NET files located in the application root directory, SubDir1, and SubDir2. For more information about ASP.NET security, see ASP.NET Web Application Security.
The following Web site has a file structure in which the application virtual directory maps to the application root directory (MyAppRootDir).
MyAppRootDir SubDir1 SubDir1A SubDir2
Except during conditions described in the "Restrictions on ASP.NET Inheritance" section in ASP.NET Configuration File Hierarchy and Inheritance, a configuration setting in any directory overrides the settings written in parent directories. For example, you can configure the application settings to grant all users access to the ASP.NET resources in MyAppRootDir and SubDir2, but grant only selected users access to the ASP.NET resources in SubDir1 and SubDir1A, by completing the following steps:
Leave MyAppRootDir as is. The ASP.NET resources in MyAppRootDir inherit the default settings from the Machine.config file, one of which allows anonymous access. At this stage, MyAppRootDir and the three subdirectories inherit this authentication setting.
Place a Web.config file in SubDir1 with authentication set to allow only selected users access to SubDir1. This overrides the anonymous access allowed by the setting in the Machine.config file and inherits downward to SubDir1A. SubDir2, which is at the same level as SubDir1, does not inherit the authentication setting in SubDir1.
All ASP.NET applications inherit the default settings in the Web.config file at the root Web level. The default setting for the security configuration section of this file allows all users to access all URL resources. There is no configuration file in the example's application root directory that modifies security, so all users have access to the ASP.NET resources in it (because that directory inherits from the machine-level configuration file). If the Web.config file in the SubDir1 directory contains a security configuration section that grants access only to certain users, then SubDir1A inherits that setting. Thus, all users have access to the ASP.NET resources in the application root directory and in SubDir2, but only selected users have access to the ASP.NET resources in SubDir1 and SubDir1A.
Configuration settings for virtual directories, which are friendly names for directories that simplify access paths and hide the names of real directories, are independent of physical-directory structure. As a result, virtual directories must be organized carefully to avoid configuration problems. For example, you might set up virtual directories to retrieve the ASP.NET page named MyResource.aspx from the following physical directory structure.
MyDir SubDir1 (mapped from VDir1) SubDir1A (mapped from VDir1A) MyResource.aspx SubDir2
In this example, there is a Web.config file in SubDir1 and another Web.config file in SubDir1A. If a client accesses C:\Subdir1\Subdir1A\MyResource.aspx using the URL http://localhost/vdir1/subdir1A/MyResource.aspx, the resource inherits configuration settings from Vdir1. However, if the client accesses the same resource using the URL http://localhost/vdir1A/MyResource.aspx, it does not inherit settings from Vdir1. Therefore, creating virtual directories in this manner is not recommended because it can cause unexpected results or even an application failure.
Internet Information Services (IIS) is the Web server for all resources published over the Web. The ASP.NET configuration system applies only to ASP.NET resources, which are the resources that are registered to be handled by ASP.NET using Aspnet_isapi.dll. By default, the configuration system does not provide security for non-ASP.NET resources. For example, ASP, HTML, TXT, GIF, and JPEG files are accessible by all users. In the preceding example, if directory browsing is enabled and no other restrictions are in place, all users can view non-ASP.NET files located in the application root directory, SubDir1, and SubDir2.