I have an existing ASP.NET application that implements Forms Authentication site-wide. The application is deployed in multiple instances (e.g., customer1, customer2, test, dev, etc…), with a separate database per instance. SSL is in play. Instance configuration is via an XML config file.
I have a new requirement to allow upload/download of certain data, which I would like to implement as a public web service.
My initial thought here was to selectively disable forms authentication for a subdirectory of the application (e.g., ~/Services), and then do authentication via a SOAP header or similar.
However, I’m not finding a way to selectively disable forms auth.
Question: Is there a way to do this? I’ve tried the <location> tag in web config to no avail.
If not, what are your recommendations for how to set this up? I can think of the following options:
1) Create a new “Services” project in my solution, and then configure a separate IIS ASP.NET application on that directory in each instance. (Pro: easy access to instance configuration, which may be needed in the future. Con: configuration burden for each relevant instance).
2) Create a separate “Services” solution that references needed assemblies from the application solution and host it as a separate ASP.NET application. Then, lookup the db connection string based on the UserName provided in SOAP Header. (Pro: single app to configure in IIS. Con: No easy access to instance config.)
3) ??
Clarification: I did see the answer here: Override ASP.NET forms authentication for a single page, but the use of a location tag is not helping (requests for the web service are still redirected). The relevant sections in my web.config look like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="~/Services/MyService.asmx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
I would think the location tag would work, where you specify the services folder and allow all users, something like:
<location path="services">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
But you said that didn’t work, have you tried putting a web.config file in the services folder and disabling forms authentication and allowing all users in that file?
Method 2
You could also have a (overriding) web.config file in the services folder with the access control set to anonymous.
Method 3
what worked for me was to allow users all users access in the folder where my webservices is located.
Firstly i added a configuration file in that folder and inserted the code below to allow all users.
<authorization>
<allow users="*"/>
</authorization>
</system.web>
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0