Authorization problems with custom SharePoint applications

I recently discovered that the authorization part of my custom ASP.Net applications does not work at all when I deploy the applications to our SharePoint production server. Strangely enough it works on my local Windows XP machine.

It seemed like the authorization part of my web.config file had no effect when I moved my application to a SharePoint machine.

More specifically, group membership permissions are ignored when using role based security in a custom ASP.Net application on a Sharepoint server. This is because Sharepoint removes the default httpHandlers during installation. The remedy is to add them again in the web.config file as described below.

Let us invent the application Avalanche for this example. Say that it contains the page User.aspx. In the Page_Load event it would show the identity of the logged in user as the following:
lblUserIdentity.Text = User.Identity.Name.ToString();

In short, the Avalanche web.config contains these important parts:

<identity impersonate="true" />
<authentication mode="Windows" />
<authorization>
<allow users="ivalice\aeris" />
<deny users="*" />
</authorization>

This would allow only the user aeris of domain ivalice to access the page. No one else would be allowed.

The IIS of the SharePoint machine denies access for anonymous users and is set to use Integrated Windows Authentication. To deploy my application, this is what I do:

1. I copy my project to the c:\Program Files\Common Files\Microsoft Shared\web server extensions\60\TEMPLATE\LAYOUTS folder on the SharePoint server.


2. I create a virtual directory for the application in IIS


3. I exclude the path Avalanche in the Define Managed Paths section of the Sharepoint Central Administration.

Good to go one would think.

However, any valid SharePoint user of our Intranet could still access my application at the address http://intranet/_layouts/Avalanche/User.aspx. Even better, say that we explicitly denied access to the user ivalice\sephiroth like this:

<identity impersonate="true" />
<authentication mode="Windows" />
<authorization>
<allow users="ivalice\aeris" />
<deny users="ivalice\sephiroth" />
</authorization>

If now user ivalice\sephiroth accessed the page http://intranet/_layouts/Wasabi/User.aspx my application would gladly show the page and state the user as ivalice\sephiroth.

You have to explicitly clear the httpHandlers and redefine them for your application.

Add the following section inside the <system.web> of your web.config.

<httpModules>
<clear />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule"/>
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"/>
<add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule"/>
<add name="ErrorHandlerModule" type="System.Web.Mobile.ErrorHandlerModule,
System.Web.Mobile, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule"/>
<add name="Session" type="System.Web.SessionState.SessionStateModule"/>
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/>
<add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule"/>
</httpModules>

Now, everything should work as you meant it to.