I have been seeing this question being put up on lot many forums plus we are getting a lot of support cases opened by customers requesting for this feature.
In IIS 7+ we have changed the feature of allowing PUT, MKCOL, PROPPATCH, COPY, MOVE, and DELETE to require authentication. Anonymous PROPFINDs are allowed for file listings, but others require the request be authenticated. This was done as a security measure. In IIS 6.0 we did have the provision of using the above methods using anonymous requests from the clients but not anymore. I think the reason people still want this feature in IIS 7 is because of some 3rd party applications like CURL etc which send Anonymous PUT requests to a WebDAV site.
Lot of people who have migrated from IIS 6.0 to IIS 7+ still request for this functionality. Please note that this is neither recommended nor supported by Microsoft Product Support Services (PSS).
Here, however I will show you a method of achieving a similar feature without users requiring to send user credentials for WebDAV requests. Basically the WebDAV module checks whether the request is authenticated or not. If not (i.e. using Anonymous authentication) WebDAV module will respond saying “Anonymous access not allowed” in the FREB logs.
There is a KB article which talks about this as well http://support.microsoft.com/kb/2021641/en-us
So one way of hacking this is to convince WebDAV module that your request is authenticated. So before the WebDAV module gets a chance to handle the request ensure we change the identity context as an authenticated user. In IIS 7 we can write a native ISAPI filter (preferred for performance reasons) or a managed HTTP Module which can intercept the request and change the user context to some pre-configured windows identity. Or else you can read a username/password from a configuration file (or hard code the vale) and then create a basic Base64 hash for the combination and add it to the Request header collection. This in my opinion is a neater way than the first method.
Here are the steps for injecting Basic Base64 hash in the Request header collection:
<modules runManagedModulesForWebDavRequests="true">
<add name="CustomBasicWebDAVModule" type="CustomBasicWebDAVModule"/>
</modules>
Now go ahead and you should be able to use PUT/DELETE etc verbs for the WebDAV requests for this site anonymously (well, not technically correct though).
Thanks to Robert for the valuable suggestion on this forum and the inputs.
**PLEASE NOTE THAT THIS IS NEITHER RECOMMENDED NOR SUPPORTED BY MICROSOFT PSS. USE IT WITH CAUTION.
using System;
using System.Web;
public class CustomBasicWebDAVModule : IHttpModule
{
public CustomBasicWebDAVModule()
{
}
public String ModuleName
{
get { return "CustomBasicWebDAVModule"; }
}
// In the Init function, register for HttpApplication
// events by adding your handlers.
public void Init(HttpApplication application)
{
application.BeginRequest +=
(new EventHandler(this.Application_BeginRequest));
}
private void Application_BeginRequest(Object source,
EventArgs e)
{
string userName = "test";
string password = "LS1setup!";
string concat = userName + ":" + password;
string base64string = EncodeTo64(concat);
HttpApplication application = (HttpApplication)source;
HttpContext context = application.Context;
context.Request.Headers.Add("Authorization", "Basic " + base64string);
}
static public string EncodeTo64(string toEncode)
{
byte[] toEncodeAsBytes = System.Text.ASCIIEncoding.ASCII.GetBytes(toEncode);
string returnValue = System.Convert.ToBase64String(toEncodeAsBytes);
return returnValue;
}
public void Dispose() { }
}
Author: Saurabh Singh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.