IIS/ASP.NET not recognizing writes to web.confg

[John Gonsalves]

I'm experiencing problems related to IIS/ASP.NET not recognizing writes
to web.config that my web application performs.

Specifically I have a web application that provides an interface
allowing authenticated domain users to be written to the "authorization"
section of the web.config file. Since i'm using Integrated Windows
Authentication, these users should then be able to issue the various
HTTP POSTS to the web application. However what I'm seeing is that the
users I add to the web.config file still are unauthorized.

IIS/ASP.NET simply doesn't detect modifications to the web.config file
I'm doing programmatically in my web application using the .NET
Configuration / WebConfigurationManager API.

If I use a non programatic way of modifying the web.config file after a
user has been added i.e. use notepad to open web.config. and save,
without making any changes, then IIS/ASP.NET recognise the change to
web.config and now the users become authorized to use my web
application.

Is this a bug?

-John Gonsalves

 

[John Gonsalves]

By the way, I'm using .NET 2.0 and my web application is running on
Windows 2003 Server Enterprise Edition.

-John

 

[Latish Sehgal]

If your code is able to add the users to the config file, could you
try adding the users programatically and then restarting the site
once, and then test it? Normally a web.config change causes the site
to be reloaded in memory for future hits, but the current requests
are served using the old settings. I am just taking an educated guess
but maybe when you are modifying the config file programatically, the
site never gets unloaded from memory to allow the new settings to take
effect.

If this is the case, maybe you can try picking up the users
dynamically from another xml file instead of web.config, which i think
is always tricky to modify on the fly.
Hope this helps.

Latish

 

[John Gonsalves]

I still have not received a response that works.

The feature I'm trying to use is the one where "allow users=" in the
authorization section while using Integrated Windows Security enforces
who can access the web application.

One of the services this web application offers is the ability to issue
a http post that includes a domain/user who I desire to give
authorization to (i.e. they are added to the web.config authorization
section using the Configuration / WebConfigurationMgr API).

Unfortunately IIS does not recognized any changes I make to web.config
programmatically, unless I manually use notepad to open the web.config
file and force a save without any additional modifications. (i.e. file
watcher is triggered on the notepad save but not on the
Configuration.save()).

This is clearly a bug and I need a workaround!

-John Gonsalves
Hewlett Packard

 

[Latish Sehgal]

Did you try what i had suggested in the last post?
Latish

 

[Latish Sehgal]

Also, is there a compelling reason for you to use web.config for this?
Can't you pick the settings from a Sql Server table or another config
file?

 

[John Gonsalves]

I could save the users to another file or database and do some
personalization in my web application to authorizing by comparing the
LogonUserIdentity.Name.ToString() with what I have stored.

But I was hoping that by adding these users programmatically to
web.config in the authorization section, would force IIS to do this for
me.

-John Gonsalves

 

[John Gonsalves]

Latish,

What you're suggesting won't work for me. The users are added to the
web.config file authorization section spuriously and infrequently. When
they are added I don't have the liberty of restarting the web site. I
need the new users to be given authorization by IIS automatically.

The functionality I need is using Windows Integrated Security:

1) Add a user to the authoriztion section in web.config as 'allow
users="newuser"', programmatically

2) Have IIS honor the added user, allowing them access to the web site.

There must be a way to do this using web.config.

-John Gonsalves

 

[Latish Sehgal]

This seems to be a common problem ( i see similar questions in other
forums out there).
Check out http://www.developer.com/net/cplus/article.php/3531746

Perhaps you can use the Enterprise Library Configuration block.

 

[John Gonsalves]

Enterprise Library Configuration block appears to deal with
configuration changes being detectable by the web application.

I need IIS to detect my application changes, namely the authorization
section of the web.config file.

-John Gonsalves

 

[Guest]

I'm experiencing problems related to IIS/ASP.NET not recognizing writes
to web.config that my web application performs.

Specifically I have a web application that provides an interface
allowing authenticated domain users to be written to the "authorization"
section of the web.config file. Since i'm using Integrated Windows
Authentication, these users should then be able to issue the various
HTTP POSTS to the web application. However what I'm seeing is that the
users I add to the web.config file still are unauthorized.

IIS/ASP.NET simply doesn't detect modifications to the web.config file
I'm doing programmatically in my web application using the .NET
Configuration / WebConfigurationManager API.

If I use a non programatic way of modifying the web.config file after a
user has been added i.e. use notepad to open web.config. and save,
without making any changes, then IIS/ASP.NET recognise the change to
web.config and now the users become authorized to use my web
application.

Is this a bug?

-John Gonsalves

*** Sent via Developersdexhttp://www.developersdex.com***

I believe it's an error in your code. The following code is working
well for me

string[] users = {"alexey"};
AuthorizationRule authorizationRule = new
System.Web.Configuration.AuthorizationRule(AuthorizationRuleAction.Deny);
authorizationRule.Users.AddRange(users);
Configuration config =
WebConfigurationManager.OpenWebConfiguration("~");
AuthorizationSection authorizationsection =
config.GetSection("system.web/authorization") as AuthorizationSection;
authorizationsection.Rules.Add(authorizationRule);
config.Save();

Once it is executed the web.config is updated and I'm blocked

 

[Guest]

I'm experiencing problems related to IIS/ASP.NET not recognizing writes
to web.config that my web application performs.

Specifically I have a web application that provides an interface
allowing authenticated domain users to be written to the "authorization"
section of the web.config file. Since i'm using Integrated Windows
Authentication, these users should then be able to issue the various
HTTP POSTS to the web application. However what I'm seeing is that the
users I add to the web.config file still are unauthorized.

IIS/ASP.NET simply doesn't detect modifications to the web.config file
I'm doing programmatically in my web application using the .NET
Configuration / WebConfigurationManager API.

If I use a non programatic way of modifying the web.config file after a
user has been added i.e. use notepad to open web.config. and save,
without making any changes, then IIS/ASP.NET recognise the change to
web.config and now the users become authorized to use my web
application.

Is this a bug?

-John Gonsalves

*** Sent via Developersdexhttp://www.developersdex.com***

I believe it's an error in your code. The following code is working
well for me

string[] users = {"alexey"};
AuthorizationRule authorizationRule = new
System.Web.Configuration.AuthorizationRule(AuthorizationRuleAction.Deny);
authorizationRule.Users.AddRange(users);
Configuration config =
WebConfigurationManager.OpenWebConfiguration("~");
AuthorizationSection authorizationsection =
config.GetSection("system.web/authorization") as AuthorizationSection;
authorizationsection.Rules.Add(authorizationRule);
config.Save();

Once it is executed the web.config is updated and I'm blocked

 

[John Saunders]

Enterprise Library Configuration block appears to deal with
configuration changes being detectable by the web application.

I need IIS to detect my application changes, namely the authorization
section of the web.config file.

-John Gonsalves



John, were you aware that IIS has nothing to do with the web.config? It's all ASP.NET.

I would strongly suggest not using the authentication section of web.config to store users. You should use a database for that. If nothing else, consider that writes to web.config are not transactional, and a system crash while you're writing could result in an invalid web.config file, which would leave your entire application unavailable.

John

 

[Guest]

Enterprise Library Configuration block appears to deal with
configuration changes being detectable by the web application.

I need IIS to detect my application changes, namely the authorization
section of the web.config file.

-John Gonsalves

John, did you check my response to this thread?

 

[John Gonsalves]

Yes John, I read and understand your recommendation. Apparently
web.config authorization section wasn't meant to be updated and have
those changes be honored as far as IIS/ASP.NET enforcing any rule
changes made.

I'll add a database table for users.

Thanks for the help. I'd still like to know if what I've been
experiencing is a defect.

-John Gonsalves

 

[Guest]

Yes John, I read and understand your recommendation. Apparently
web.config authorization section wasn't meant to be updated and have
those changes be honored as far as IIS/ASP.NET enforcing any rule
changes made.

I'll add a database table for users.

Thanks for the help. I'd still like to know if what I've been
experiencing is a defect.

-John Gonsalves

*** Sent via Developersdexhttp://www.developersdex.com***

http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet/msg/3de7c450bf9cd102