SharePoint Application Page – Anonymous Access

Ever felt the need of having an anonymous application page in SharePoint??

I guess everybody will agree that at some point or the other they all have felt the need for the same…

So here how we go about it

Use the UnsecuredLayoutsPageBase as a base class for the application pages to which even unauthenticated users must have access, such as a login page.

Additionally you need to override one more method AllowAnonymousAccess to return true and you are all set

Following is a code snippet for the implementation

public class MyApplicationPage :  Microsoft.SharePoint.WebControls.UnsecuredLayoutsPageBase
{

  protected override bool AllowAnonymousAccess 
  { 
       get 
       { 
          return true; 
       }
  }

}

Locking down _layouts/_vti_bin & built in SharePoint pages on Anonymous Internet facing sites

On internet facing anonymous sites you may have noticed that your SharePoint Forms pages are also accessible to anonymous users. For example, if you’re using the publishing features, anonymous users might be able to get to

http://{servername}/Pages/Forms/AllItems.aspx

Which is a security concern and we really do not want. MOSS 2007 provides a feature called as “ViewFormPagesLockdown” which helps to lock down access to these pages for anonymous users

stsadm.exe –o activatefeature –url -filename ViewFormPagesLockdownfeature.xml

Running the above command will enable the lockdown for Form pages.

Please Note:

  1. If you already had anonymous access enabled, you’ll need to disable it, then enable it again. 
  2. Go to the _layouts/setanon.aspx page, switch anonymous access off, click OK, then go back and set it to on, click OK. 
  3. You should now get an authentication prompt when you try to navigate to a forms page. 

However, even when lockdown mode is enabled, anonymous users can still access certain Office SharePoint Server application URLs, such as pages in the _layouts directory and Web services that are exposed in the _vti_bin directory. To lock down these pages as well you will need to make some changes to the web.config file of your SharePoint site as shown below

The following XML fragment first denies anonymous users access to all pages in the _layouts and _vti_bin directories, and then allows anonymous users access to three specific pages in the _layouts directory (these are required for SharePoint to function correctly). The question mark (?) represents anonymous users. These restrictions do not apply to authenticated users

  
    
      
        
     
   
 
  
    
      
        
     
   
 
  
    
      
        
     
   
 
  
    
      
        
     
   
 
  
    
      
        
     
   
 

To allow anonymous users to authenticate themselves with the server, you should ensure that they have access to the following pages:

  1. _layouts/login.aspx
  2. _layouts/accessdenied.aspx
  3. _layouts/error.aspx

If you deny anonymous users access to any of these pages, Office SharePoint Server will not function properly.