How do I secure my "hibernate.cfg.xml" file? (Nhibernate)

How do I secure my "开发者_JAVA技巧hibernate.cfg.xml" file? (Nhibernate). It currently sits in the route of the web app and can be viewed via the browser.

<configuration>
  <system.web>
    <httpHandlers>
      <add verb="*" path="hibernate.cfg.xml"
           type="System.Web.HttpForbiddenHandler"/>
    </httpHandlers>
  </system.web>
<configuration>

Your hibernate.cfg.xml should be set to 'Copy to Output Directory: Copy Always' When you build it it is copied into your output direct. If you publish your site, it will only be in your output (bin) directory so noone will be able to access it.

It could live in the bin directory and that way it is protected as well as if if you need to modify it, your app will auto restart as a change was made in the bin directory.

edit
you might actually want/have to do this if your nhibernate code lives in a separate class library such that you don't want to mix its configuration in with the web.config (or app.config if sharing the library between interfaces)

That's a very good question.

There must be a few ways to secure it. One I can think of is - if you are not serving an XML in the web site - to change the MIME type of the XML registered against the web site so that it is not served.

Other solutions not directly securing the "hibernate.cfg.xml" file:

1) Define the configuration in web.config using NHibernate section handler

2) Configure in the code

3) Setup NHibernate to read a file with .config extension

Put NHibernate config in web.config, this way it won't be viewed in browsers.

Put it in your App_Data folder. The App_Data folder is a special protected folder in ASP.NET web applications that can't be externally accessed via a browser. I tend to put all my config files there (except the web.config of course).

When you publish your website, the first thing you do is to delete the "hibernate.cfg.xml" file located in the root folder, so there's no need to secure it