Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
(untagged)

Edit and Encrypt Web.Config Sections Using C# 2.0

0.00/5 (No votes)
3 May 2007 4  
An article to illustrate editing and encrypting of sections of a Web.Config file programatically.

Screenshot - WebConfigApp.jpg

Introduction

ASP.NET 1.x allowed configurations in the Web.Config file to be read from a .NET application. But there were no options to manipulate Web.Config contents programmatically. To achieve this, we had to consider the Web.Config file as a normal file or an XML file and manually do it. .NET 2.0 fills this gap and provides many other useful operations to be carried out on the Web.Config file, like editing and encrypting sections of the Web.Config file. This articles illustrates these functionalities via a sample ASP.NET application.

Using the code

The classes and methods to take control of the Web.Config file span across two namespaces:

  1. System.Configuration
  2. System.Web.Configuration

Each section in the Web.Config file has a corresponding class in either of the namespace. These classes allow modification of the corresponding sections. The classes for sections within the "system.web" section are found in System.Web.Configuration. Classes for other sections that are not specific to Web.Config are found in System.Configuration.

Steps to modify a section in Web.Config

  1. Open Web.Config for editing using the WebConfigurationManager class.
  2. Using the respective Configuration class, bring about the necessary changes.
  3. Save changes to the physical file using the Configuration class.
private void UpdateConfig(string strKey, string strValue)
{
    Configuration objConfig = 
        WebConfigurationManager.OpenWebConfiguration("~");
    AppSettingsSection objAppsettings = 
       (AppSettingsSection)objConfig.GetSection("appSettings");
    if (objAppsettings != null)
    {
        objAppsettings.Settings[strKey].Value = strValue;
        objConfig.Save();
    }
}

In the above piece of code, the OpenWebConfiguration() method of the WebConfigurationManager class opens the Web.Config file in the root directory and returns it as a Configuration object. The GetSection() method of the Configuration class accepts a path to a specific section as the argument. The path is the relative path from the root node "configuration". You can refer to deeper nodes (sections in our context) by their names separated by '/'. For example, to get access to the "authentication" section, provide "system.web/authentication" as the parameter to the GetSection() method. It returns a generic ConfigurationSecton object, which can be typecast to the proper configuration section class. In our example, we get hold of the "appSettings" section with the help of the AppSettingsSection class. The AppSettingsSection class instance has a Settings collection property which contains the application setting from the configuration section as key-value pairs. The Settings property can be indexed using a key to get the corresponding value. You can also set the value property and call the Save() method of the Configuration object to write configurations in the Configuration instance to the config file.

To delete an entry in the Web.config file

The Remove() method of the Settings collection deletes an entry from the Configuration instance. The Remove() method accepts the key of the entry to be deleted.

Note: Please do not forget to call the Save() method of the Configuration instance to get the changes reflected in the physical file.

objAppsettings.Settings.Remove("Location");

To iterate through all the key-value pairs in a configuration section, access the string array of keys via the AllKeys property of the Settings collection.

foreach (string strKey in objAppsettings.Settings.AllKeys)
{
    DataRow dr = dt.NewRow();
    dr["Key"] = strKey;
    dr["Value"] = objConfig.AppSettings.Settings[strKey].Value;
    dt.Rows.Add(dr);
}

Encrypting sections in the Web.Config file

Now comes the security issues. At times there comes the necessity for protecting sections of the config file. In .NET 2.0, there are options available to encrypt sections of the Web.config file programmatically. The following method encrypts the "appSettings" section in the Web.config file.

private void EncryptAppSettings()  
{
    Configuration objConfig = 
      WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    AppSettingsSection objAppsettings = 
      (AppSettingsSection)objConfig.GetSection("appSettings");
    if (!objAppsettings.SectionInformation.IsProtected)
    {
        objAppsettings.SectionInformation.ProtectSection(
                       "RsaProtectedConfigurationProvider");
        objAppsettings.SectionInformation.ForceSave = true;
        objConfig.Save(ConfigurationSaveMode.Modified);
    }
}

The code above opens the Web.Config file for modification. It then retrieves the "appSettings" section. The ProtectSection() method of the SectionInformation class marks the configuration section for protection. It accepts the name of the protection provider to be used for the encryption. The ForceSave property indicates if the specified configuration section will be saved even if it has not been modified. Finally, the Save() of the Configuration object writes the configuration settings to the Web.Config file. The argument to the Save() method indicates only properties modified need to be written to the physical file.

Below is a listing of the "appSettings" section before encryption:

Screenshot - WebConfig.jpg

The encrypted "appSettings" section is listed below:

Screenshot - WebConfigEncrypted.jpg

Decrypting sections of the web.config file through code is very identical. The UnprotectSection() method of the SectionInformation class removes the encryption from the configuration section.

private void DecryptAppSettings()
{
    Configuration objConfig = 
      WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    AppSettingsSection objAppsettings = 
      (AppSettingsSection)objConfig.GetSection("appSettings");
    if (objAppsettings.SectionInformation.IsProtected)
    {
        objAppsettings.SectionInformation.UnprotectSection();
        objAppsettings.SectionInformation.ForceSave = true;
        objConfig.Save(ConfigurationSaveMode.Modified);
    }
}

This encryption and decryption functionality can be applied to other sections of the web.config file. It comes in use mostly for the connectionStrings section where usually the user name and password would be specified. This can done by creating a ConfigurationSection object. An example for the connectionStrings section is shown below.

ConfigurationSection objConfigSection = objConfig.ConnectionStrings;

The ConfigurationSection class represents a section within the configuration file. The Configuration class has properties for each configuration section. This property can be used to get the respective ConfigurationSection objects. This is an alternative to the usage of the GetSection() method of the Configuration class.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here