May 25, 2010

sharepoint anonymous users: what they can do?

When a web application is anonymous enabled, each site collection can define whether anonymous users can access whole site or just lists/libraries or nothing. Anonymous users will assume "limited access" permission role. This special permission role  is not configurable, but  it does have 2 flavors: with or without LockDown mode. The most significant difference is the lockdown mode takes away the following 2 permissions from anonymous users:
  • Site permissions: Use Remote Interfaces. It will prevent web service (SOAP), WebDav and SPD connection to sharepoint sites;
  • List permissions: View Application Pages. It will prevent anonymous users from view list form pages such as allitems.aspx, edititem.aspx etc
The lockdown mode is automatically turned on when a publishing portal site template is used or it can be turned on by stsadm command. see here for details.

Anonymous users will be challenged or prompted when they try to access resources which are not granted by the "limited access" role. Anonymous users can access sharepoint resource only by server object model, not by web service (either asmx or wcf) regardless whether site is anonymous enabled or whether lockdown mode is turned on. The only workaround is for readonly web service as described in the following 2 posts:

exception: for readonly and SOAP version 1.1(asmx): modify SOAPAction Header:
http://mdasblog.wordpress.com/2010/03/18/allowing-anonymous-access-with-sharepoint-web-services-and-spservices/
http://weblogs.asp.net/jan/archive/2009/05/25/quot-the-security-validation-for-this-page-is-invalid-quot-when-calling-the-sharepoint-web-services.aspx

Otherwise web service call must carry a valid credential. However if web services doesn't involve any object model, anonymous users can call those kinds of web service even if those web services are hosted inside sharepoint.

WCF services add another level of security with security binding configurations for each endpoint. WCF endpoint security along with hosting IIS authentication setup together will determine if anonymous users can invoke WCF services. See here for details.

If the web service is custom web service and using sharepoint object model, the web service need to be in viti_bin, or sharepoint CAS policy need to change. As any web service with sharepoint object model involved, they are not open to anonymous users any way.

In sharepoint 2010, at web application level, there are 2 new policies: Users Policy and Anonymous Policy, which can deny individual uses or all anonymous user's access to an anonymous web application.


Anonymous users can't access to sharepoint application pages under _layouts folder as most sharepoint application pages inherit from LayoutPageBase which is a secure page, nevertheless some application pages inherit from UnsecuredLayoutPageBase such as searchresults.aspx, login.aspx etc, which are open to anonymous users.

May 22, 2010

SharePoint 2010 Reusable Workflow and Enterprise Content Type

we know SharePoint 2010 reusable workflow can be reused because it can be associated with a content type, and a content type can be deployed in multiple lists or libraries. So a reusable workflow can be used automatically in a site scope.


We also know a content type is scoped at a site collection level, does that mean reusable workflow can be used cross all site collection? Yes, but you need to "Publish Globally" (in SharePoint Designer ribbon) to make it be reusable in a whole site collection.

SharePoint 2010 has a new feature called Enterprise Content Type which allow content type to be reused beyond a site collection scope . See this article on Technet for a completed guidance on how to setup a ECT. If the content type is published from content type hub and subscribed by another site collection or even another web application, The content type can be reused in a farm scope. The question is, can its associated workflow be reused? The answer is No at this time.

To summary up: