How can I grant anonymous access to an httpHandler that uses wildcards in a site that requires authentication?

Question

I have an application which requires authentication, but has some related services which can call into the application as anonymous. The calls are made via httpHandlers, some of which use wildcards. For the httpHandlers that do not use wildcards, I can manage the security by using the location element in web.config:

<httpHandlers>
  <add verb="*" path="ProcessFile.ashx" type="..." validate="false" />
  <add verb="*" path="DoSomethingElse.*.*.ashx" type="..." validate="false" />
</httpHandlers>

For the first handler, it was easy (closing tags omitted for brevity):

<location path="ProcessFile.ashx">
  <system.web>
    <authorization>
      <allow users="?" />
    ...

The second handler won't work because location will not take wildcards. I tried using a 'directory' but it doesn't seem to work:

<httpHandlers>
  ..
  <add verb="*" path="test/DoSomethingElse.*.*.ashx" type="..." validate="false" />
</httpHandlers>


<location path="test">
  <system.web>
    <authorization>
      <allow users="?" />
    ...

Is there a way to get this to work? Do I have the syntax wrong in some way?

Answer 1

I would recommend segregating your handlers that are expected to be anonymously available into a common folder and then set the location permissions for that folder to be universally available. So if you have a folder for handlers /Handlers and a subfolder /Public then you could have the following:

<location path="/Handlers/Public">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

Then you can put your wildcard handlers in here without having to specify it by individual name.