8.3 Locking Down Configuration Settings

All of the previous examples rely on the ability to override settings in machine.config with settings in the web.config file for an individual application. As mentioned earlier, you can also use a web.config file located in a child folder of an application to override settings in a parent web.config file. However, what if the application developer or the server administrator doesn't want certain settings to be overridden? No problem. The configuration system provides a special element, <location>, that serves this purpose handily.

The basic structure of the <location> element consists of the opening element tag with two attributes, path and allowOverride, followed by the elements to be locked down, and the closing element tag. For example:

<location path="pathtocontrol" allowOverride="True|False">
    <!-- Settings to lock down -->
</location>

The path attribute, which is optional when locking down configuration settings, is used to specify the application or filename to be controlled by the <location> element. If omitted, the <location> element's settings apply to all children of the configuration file in which it appears. Example 8-6 shows a <location> element which, when added to machine.config, requires all ASP.NET applications on the machine to use Windows authentication.

Example 8-6. Locking down configuration settings

<configuration>
   <system.web>
      <location allowOverride="False">
         <authentication mode="Windows"/>
      </location>
   </system.web>
<configuration>

Note that the <location> element can also be used to configure settings for a child application, directory, or file from a parent configuration file. When used in this manner, the path attribute is required and the allowOverride attribute is optional.