I have a large enterprise application containing both WebForms and MVC pages. It has existing authentication and authorisation settings that I don't want to change.
The WebForms authentication is configured in the web.config:
<authentication mode="Forms">
<forms blah... blah... blah />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Fairly standard so far. I have a REST service that is part of this big application and I want to use HTTP authentication instead for this one service.
So, when a user attempts to get JSON data from the REST service it returns an HTTP 401 status and a WWW-Authenticate header. If they respond with a correctly formed HTTP Authorization response it lets them in.
The problem is that WebForms overrides this at a low level - if you return 401 (Unauthorised) it overrides that with a 302 (redirection to login page). That's fine in the browser but useless for a REST service.
I want to turn off the authentication setting in the web.config, overriding the 'rest' folder:
<location path="rest">
<system.web>
<authentication mode="None" />
<authorization><allow users="?" /></authorization>
</system.web>
</location>
The authorisation bit works fine, but the authentication line (<authentication mode="None" />) causes an exception:
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.
I'm configuring this at application level though - it's in the root web.config - and that error is for web.configs in sub-directories.
How do I override the authentication so that all of the rest of the site uses WebForms authentication and this one directory uses none?
This is similar to another question: 401 response code for json requests with ASP.NET MVC, but I'm not looking for the same solution - I don't want to just remove the WebForms authentication and add new custom code globally, there's far to much risk and work involved. I want to change just the one directory in configuration.
Update
I want to set up a single web application and in that I want all the WebForms pages and MVC views to use WebForms authentication. I want one directory to use basic HTTP authentication.
Note that I'm talking about authentication, not authorisation. I want REST calls to come with the username & password in an HTTP header, and I want WebForm & MVC pages to come with the authentication cookie from .Net - in either case authorisation is done against our DB.
I don't want to rewrite WebForms authentication and roll my own cookies - it seems ridiculous that is the only way to add an HTTP authorised REST service to an application.
I can't add an additional application or virtual directory - it's got to be as one application.
See Question&Answers more detail:
os 
