Before diving into specifics on ACL requirements for reading and writing configuration, a quick primer on using the strongly typed configuration API is useful. Even though a detailed discussion of the new strongly typed configuration API is out of the scope of this book, it is helpful for you to understand the basic coding approaches for manipulating configuration before you see the various security requirements that are enforced when using these APIs.
You may never end up using the strongly typed configuration API. For example, if you use the Membership feature, almost all of the configuration information about the feature itself (the <membership /> configuration element) and the individual providers (the various <add /> elements) are available from the Membership and various MembershipProvider-derived classes. Other features like Forms Authentication follow a similar approach.
However, some features, such as session state, don't mirror every configuration setting via a property from a well-known feature class. Also for administrative-style applications, it makes sense to deal with configuration information using the configuration APIs as opposed to using different feature classes that are potentially scattered through different namespaces.
Reading configuration for a web application can be accomplished in two different ways. If you want to use the configuration APIs available to all Framework applications, you use the ConfigurationManager ...