Application Security Testing: An Integral Part of DevOps
During software development, the Testing and deployment process in the configuration files continuously undergoes changes in terms of application settings, database connection strings, membership, role, and profile provider information. Changing the web.config file each time is tedious and error prone. Fortunately, ASP.NET provides a configuration system by which a developer can keep application configuration flexible at runtime. Also, the config file is dynamic; a developer can change the value in the config file without compiling and deploying the .NET app.
For example, items inside AppSetting need to be configurable depending upon the environment. A database connection string will change once you move your application from Dev to the SIT server.
.NET Configuration Files
.NET supports web.config and app.config as configuration files. A configuration file contains all application-level and project-level configurations in XML format, so that it is compatible with every machine and environment. An ASP.NET application can have one or more web.config files, and a Windows application can have an optional app.config file. Configuration files share common elements. The name and location of a configuration file may vary, depending on the application's host.
Using AppSetting in a web.config File
Both web.config and app.config expose an <AppSettings> element. This element can be used as a place to store application settings—such as connection strings, file paths, and so forth. In the AppSetting section, we store settings in a pair of Key/Value. The AppSetting element section exists under the Configuration tag. The following code snippet demonstrates the syntax of the <appSettings> element.
<?xml version="1.0"?> <configuration> <connectionStrings configSource="ConnString.config"/> <appSettings> <add key="[KeyName]" value="[Value of Key]"/> </appSettings> <system.web> <compilation debug="true" targetFramework="4.5.2" /> <httpRuntime targetFramework="4.5.2" /> </system.web> </configuration>
To retrieve the key's value from the AppSetting section, a developer has to write code and use the ConfigurationManager Class provided by .NET. That class is derived from the System.Configuration Namespace.
Following is the syntax of the retrieving key value:
ConfigurationManager. AppSetting [ "Key Name"]
Multiple File Configuration
We can store the AppSetting file in the external configuration file to manage it efficiently. Also, during runtime, we can change the value of AppSetting and update the file without restarting the application and IIS.
There are two ways to link an external configuration file with your web.config or app.config. As the following code snippet demonstrates, the AppSettings element may contain a file attribute that points to an external file or a config source element.
<appSettings file=""> <appSettings configsource="">
Now, let me show you a web.config linking with an external configuration file. Start Visual studio (I am using VS Community 2017)-->Click on File-->New-->WebSite->Select ASP.NET Empty Web Site, as shown in Figure 1. Name the project "SampleWebSiteExternalConfig."
Figure 1: Visual Studio-->New Project
Now, open the Solution Explorer or Press ALT + CTRL + L. You will be able to see following web.config file already added by VS (see Figure 2).
Figure 2: Visual Studio Configuration file
Double-click >web.Config file; you will see >following default values in the web.config file, as you can see in Figure 3. By default, no appsetting element tag is added in web.config.
Figure 3: Default values of web.config
Next, add >following simple internal AppSetting within >Web.Config file (see Figure 4).
Figure 4: Added App settings section
Next, we will add a new external configuration file. Choose Solution Explorer-> Right Click -> Add-> Add New Item->Select Web configuration file, as shown in Figure 5.
Figure 5: Adding an external configuration file
Name it ExternalAppSetting.config (see Figure 6).
Figure 6: Naming the external configuration file
Now, let's add >following AppSettings section (see Figure 7) in the ExternalAppSetting.config file.
Figure 7: External configuration file values
Now, let's link the external app setting config file to web.config. As mentioned earlier, there are two methods to attach >external appsetting config file to web.config. I have used the file attribute. The code snippet in Figure 8 explains the linking.
Figure 8: Refer the external configuration file in the web.config
The ConnectionStrings section of the web.config can also have a similar linking feature with >external configuration file. The code snippet shown in Figure 9 shows the syntax of linking the external database connection file. You have to mention the path external config file in the ConfigSource attribute (see Figure 9).
Figure 9: Refer the external connection string file in the web.config
Add the ConString.config file in your project shown in Figure 10. Navigate to Solution Explorer-> Right Click -> Add-> Add New Item->Select Web configuration file. Name it ConString.config, as shown in Figure 10.
Figure 10: Adding the external connection string file in the solution
For this demonstration, I have added the following two connection strings in the ConString.config file (see Figure 11).
Figure 11: External connection string file values
I hope this explanation, feature description, and code snippets demonstrated are useful for developers when you keep user-specific or environment-specific settings in the external configuration file. An external configuration file makes it easier to move around global web.config changes. Thanks for reading!