Turning off ASP.Net WebForms authentication for one sub-directory
- by Keith
I have a large enterprise application containing both WebForms and MVC pages. It has existing authentication and authorisation settings that I don't want to change.
The WebForms authentication is configured in the web.config:
<authentication mode="Forms">
<forms blah... blah... blah />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Fairly standard so far. I have a REST service that is part of this big application and I want to use HTTP authentication instead for this one service.
So, when a user attempts to get JSON data from the REST service it returns an HTTP 401 status and a WWW-Authenticate header. If they respond with a correctly formed HTTP Authorization response it lets them in.
The problem is that WebForms overrides this at a low level - if you return 401 (Unauthorised) it overrides that with a 302 (redirection to login page). That's fine in the browser but useless for a REST service.
I want to turn off the authentication setting in the web.config:
<location path="rest">
<system.web>
<authentication mode="None" />
<authorization><allow users="?" /></authorization>
</system.web>
</location>
The authorisation bit works fine, but when I try to change the authentication I get an exception:
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.
I'm configuring this at application level though - it's in the root web.config
How do I override the authentication so that all of the rest of the site uses WebForms authentication and this one directory uses none?
This is similar to another question: 401 response code for json requests with ASP.NET MVC, but I'm not looking for the same solution - I don't want to just remove the WebForms authentication and add new custom code globally, there's far to much risk and work involved. I want to change just the one directory in configuration.