Saturday, September 22, 2007

Just something conceptual... anonymous access

I am now editing the end of chapter answers and I am doing chapter 8. One of the questions (mind you I did not write these, this is one of the chapters I didn't do) is about enabling anonymous access.

But it got me to thinking- the solution just glibly says that to enable anoymous access on a list or library you first enable AA on the web application, then you enable list and library AA at the site collection level, and then enable it at the particular list or library you want to allow AA.

Okay. That works.

But then, messing around, I forgot which web app/zone I enabled anonymous on. So I had a web app at http://sp2:8080/, and an extended web app at; both pointing at the same content.

I enabled anonymous on, just to go through the steps in the answer to make sure they were correct. I then browsed to the site, assuming I'd have to log in before enabling AA at the top-level site of the site collection-- and wasn't prompted to log in.


So I checked the permissions page's anonymous access settings and Entire Site was already enabled.

What's this?! I just enabled AA at the web application. I haven't set it yet... wait a minute, maybe I enabled AA on one of the other zones for the web app.

And sure enough, I had.

So here's the simple concept-- Site collections only have one anonymous access setting. Regardless of how many web application zones are used to funnel users to the sites, if one of the web apps allows anonymous, and the site allows AA at the entire site level, then you cannot enable AA on a different URL (zone) accessing the same site collection and expect to be allowed to have different site collection settings. When you enable AA for a URL, it simply unmasks the anonymous access settings for the site collection already being enforced. If AA is not enabled at a URL, then that option is not available for the users when they access the content.

But what we are taught is-- pick a URL, allow anonymous, then enable the specific kind of anonymous you want at the site collection level. Therefore, the next logical step would be, each URL that accesses the same site collection should be able to set different site collection access- which is wrong.

I guess, when you look at it like this, it's silly to even question. But I was still taken aback to find the site collection pre-set for anonymous when I innocently enabled it at the extended web app level. So I thought I'd just reinforce the concept-- don't enable anonymous on a URL without first checking to see if there are any other zones accessing the content that are already AA enabled. And if so, see what their content is set to allow.

No comments: