If you are building a SharePoint website on the internet, you
might be having the following architecture.
You will probably have created a web application and configured it
to run on Windows Authentication.Then you can extend the same web application
from the Central Administration and the extended web application can run on
Forms authentication over the internet.
Extending a web application will create a new site in the IIS by
SharePoint and this site and the site created to run with Windows
Authentication will be sharing the same content database.
For most content based web sites over the internet, Anonymous Authentication may be configured for the site.
But configuring anonymous
access creates one significant problem in case of SharePoint sites. The areas
of the site sometimes get exposed over the internet which you might want to
keep under wraps.
There could be other scenarios
where you might want your registered users to have more rights than Restricted
Read. But at the same time
you want to maintain a tight leash so that your website is less vulnerable even
from users who have registered and logged in as they are external users and may
not be a part of your organization. If they have malicious intentions, I guess
it will be better to be prepared than to be sorry later.
Mostly you would like to
restrict the following pages completely from external users who are access the
site over the internet:
View All Items Page : /_layouts/viewlsts.aspx
The different views in lists
and libraries : <Document
Library Name>/Forms/Allitems.aspx etc.
There could be a host of other
pages as well. But it will be crucial for the content managers/information
workers to access this page from the intranet zone of the website.
The good news is there is a
very simple way to solve this problem. One thing to keep in mind is all
SharePoint sites are in reality ASP .Net sites. Hence you can modify the web.config
file to do your bidding. In this case, what you can do is modify the web.config
file for the extended web application running on the forms authentication or
anonymous authentication on the internet. Modify the following section on the
web.config file:
<!--Added for Access Control-->
<location path="_layouts/mobile/mbllogin.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Pages/Forms">
<system.web>
<authorization>
<deny users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Css/Forms">
<system.web>
<authorization>
<deny users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="PublishingImages/Forms">
<system.web>
<authorization>
<deny users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Documents/Forms">
<system.web>
<authorization>
<deny users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Lists">
<system.web>
<authorization>
<deny users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="_layouts/1033">
<system.web>
<authorization>
<allow users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="_layouts/<your
custom directory>">
<system.web>
<authorization>
<allow users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="_layouts/images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="_layouts">
<system.web>
<authorization>
<deny users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
<!--End for Access Control-->
The good thing is you can
do a lot of mix and match and allow access to certain areas for anonymous users
and even registered users logging in and then completely restricting access to
other areas. As you can see above this particular setting provides access to:
2 comments:
Hi,
I have implemented the same. But even the readers are able to view the Forms/AllItems.aspx and all documents page.
I did IISRESET too. But it didn't helped. What would be the reason?
Can you try putting "Pages/Forms/AllItems.aspx" instead of "Forms/AllItems.aspx".
Because
<authorization>
<deny users="?" />
<deny users="*" />
</authorization>
Will definitely block all users, logged in or otherwise.
I suspect that the path which you want to selectively restrict is not constructed properly.
Post a Comment