I want to have a sub-folder that allows anonymous users to download files on an ASP.NET Core site that is secured using Window Authentication. I have static files enabled on wwwroot (as in app.UseStaticFiles), but I don't see how to make the sub-folder use anonymous security. I tried using a web.config in the sub-folder with but that didn't work. I don't recall this being as difficult when not using Core, any help appreciated.
After some extra research, here's the solution I arrived at.
Like @Tratcher suggested, I enabled Anonymous along side Windows Auth in IIS.
I referenced the package Microsoft.AspNetCore.Authentication and added it in ConfigureServices:
services.AddAuthentication(
Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme);
Added a default authorization policy when adding MVC:
services.AddMvc(o =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
o.Filters.Add(new AuthorizeFilter(policy));
});
The default policy means I didn't have to use the Authorize attribute everywhere. But with this solution it opened up the "wwwroot" static files, so I needed a place to secure some files.
To secure some sub-folders I used this middleware solution by Scott Allen that scans requested paths and authorizes them by policy.