Friday, August 15, 2008

Locking Down MOSS Application Pages For Anonymous Users

This Doesn't Look Quite Right

If you do many MOSS Publishing Sites for anonymous audiences you may have comes across the interesting artifact of Forms pages being visible to anonymous users. An example of this might be a site which allows anonymous access to the Entire Site, anonymous users will be able to navigate (and may get redirected to) URLs like http://domain/Pages/Forms/AllItems.aspx, or http://domain/Documents/Forms/AllItems.aspx. AllItems.aspx could really be any view on the list.

The problem with this is that it leads to a non branded experience for the user. One minute they're browsing your sharp looking Master Page and the next they're seeing a really ugly version of your site (also known as stock SharePoint).

There's actually an out of the box fix for this that ships with MOSS. It's called the ViewFormPagesLockdown feature and it's already installed, it just needs to be activated. To activate the feature you need to use the STSADM utility like below:

stsadm.exe –o activatefeature –url [Site Collection URL] -filename ViewFormPagesLockdown\feature.xml

Should you want to deactivate it you can of course run:

stsadm.exe –o deactivatefeature –url [Site Collection URL] -filename ViewFormPagesLockdown\feature.xml

What Does ViewFormPagesLockdown Actually Do?

There's no real easy way to say hide AllItems.aspx or similar views from users if you're running anonymous access on your site. These users run under the Limited Access privilege set, a default set of permissions that you can't change through the UI, which is why we have this Lockdown feature to assist you.

When you activate this feature you change the permissions of the Limited Access privilege group removing the following permissions: View Application Pages (List permission), and Use Remote Interfaces (Site permission). Here's a table of what that privilege set looks like before and after running the lock down feature. It's from the following MS article.


Limited access — default

Limited access — lockdown mode

List permissions: View Application Pages

Site permissions: Browse User Information

Site permissions: Use Remote Interfaces

Site permissions: Use Client Integration Features

Site permissions: Open

What's the result?

Because we've effectively removed the ability to see Application Pages to everyone who was using Limited Access (ie. Anonymous Users) when users end up visiting one of these pages they'll get challenged for a better credential. The result is that they'll get either an NTLM login box, or redirected to a login page (if you're using forms authentication).

Can we do anything else?

Some stakeholders don't really like the NTLM popups or the Login Pages on a site that is supposed to be anonymous in the first place. These prompts of course only happen because we just stripped out security to content they'd normally have access to in the first place...but life's far from rational.

Another approach would be to write an HttpModule and intercept requests to Application Pages in the form of a regular expression. At that point you can redirect them to a friendly branded page or simply send them back to the sub site root and let the Welcome Page take over. I'll post such code in a future post.

If you have any other thoughts I'd love to hear them.

My Best,
Tyler Holmes


Anonymous said...

Can u pls post the HttpModule code for redirect. I want to redirect anonymous user from particular list page, not from all pages.

Tyler Holmes said...

Will do, I'll post it before end of day Friday.