Allow anonymous authentication for a single folder in web.config

asp.netauthenticationweb.config

So here is the scenario, I have an Asp.Net application that is using a custom authentication & membership provider but we need to allow completely anonymous access (i.e.) to a particular folder within the application.

In IIS manager, you can set the authentication mode of a folder, but the settings are saved within C:\Windows\System32\inetsrv\config\applicationHost.config file as described here

To make installation easier, it would be great if I could set this within my web.config but after a couple of attempts I think this may not be possible.

Does anyone know otherwise?

Many thanks

Best Answer

The first approach to take is to modify your web.config using the <location> configuration tag, and <allow users="?"/> to allow anonymous or <allow users="*"/> for all:

<configuration>
   <location path="Path/To/Public/Folder">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>
</configuration>

If that approach doesn't work then you can take the following approach which requires making a small modification to the IIS applicationHost.config.

First, change the anonymousAuthentication section's overrideModeDefault from "Deny" to "Allow" in C:\Windows\System32\inetsrv\config\applicationHost.config:

<section name="anonymousAuthentication" overrideModeDefault="Allow" />

overrideMode is a security feature of IIS. If override is disallowed at the system level in applicationHost.config then there is nothing you can do in web.config to enable it. If you don't have this level of access on your target system you have to take up that discussion with your hosting provider or system administrator.

Second, after setting overrideModeDefault="Allow" then you can put the following in your web.config:

<location path="Path/To/Public/Folder">
  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="true" />
      </authentication>
    </security>
  </system.webServer>
</location>

Related Solutions

Asp – IIS: Anonymous and WIndows Authentication

You can create a virtual directory as a sub-directory to the main site.

Create a folder somewhere on the machine. Make sure the IUSR account has read/write access to this folder.
Create a virtual directory in your website through IIS. Point it to the folder you created above.
Allow anonymous access on the virtual directory, and clear windows authentication.

You should be good to go. Please note that, with anonymous access, anyone will be able to read/write to this folder, even without using your Flash application.

The way I've done this in the past was to store the documents in a database, and require a session token to be passed from the Flash application before returning the file from the database. You can apply a similar approach to a file share (make a upload.aspx that will check the auth then grab the file from a folder that is not accessible from the web).

Json – set an unlimited length for maxJsonLength in web.config

NOTE: this answer applies only to Web services, if you are returning JSON from a Controller method, make sure you read this SO answer below as well: https://stackoverflow.com/a/7207539/1246870

The MaxJsonLength property cannot be unlimited, is an integer property that defaults to 102400 (100k).

You can set the MaxJsonLength property on your web.config:

<configuration> 
   <system.web.extensions>
       <scripting>
           <webServices>
               <jsonSerialization maxJsonLength="50000000"/>
           </webServices>
       </scripting>
   </system.web.extensions>
</configuration>

Best Answer

Related Solutions

Asp – IIS: Anonymous and WIndows Authentication

Json – set an unlimited length for maxJsonLength in web.config

Related Topic