In my post What About Anonymous Writes to SharePoint Lists with Web Services? the other day, I wondered why the SharePoint Web Services don’t allow anonymous updates to SharePoint lists through the Web Services, even when anonymous write access is enabled on those lists.
Since then, I’ve gotten two independent answers that tell me that it just isn’t possible.
From a well-respected SharePoint MVP (I won’t name him because I didn’t ask him if I could):
The anonymous settings in Site Settings / Central Admin will only update the content virtual directory in IIS. Web services live in the _vti_bin folder, which is not updated from those settings pages.
I would recommend writing a custom web service that accepts anonymous input, performs data validation, value scrubbing, logging (IP address, date-time, etc.) and most importantly watches for multiple updates from the same source to prevent denial of service attacks.
And in a blog post that my pal Ben McInerney found: 401 Reasons Why SharePoint Web Services Don’t Work Anonymously (From someone named Chris Domino? Chris, you need an About page!):
But when anonymous is set, we get that one line message: “401 UNAUTHORIZED.” Obviously, this is not coming from IIS. My only guess, after going through the trouble of Reflecting what I could of Microsoft.SharePoint.dll, is that code inside the web method sends this response if the current user is not authenticated, regardless if it’s virtual directory is set to be anonymous.
Regardless whether allowing this type of access is a good idea, it just doesn’t make sense to me. If you are running a serious corporate site that gets thousands of hits a day, then the Denial of Service (DoS) issue is a very real one. If you’re using WSS for your kid’s soccer team or for a small business, then this concern just isn’t on your radar screen.
I’m disappointed in these findings, and would love to hear that I’m wrong in my conclusions. Luckily, I’ve at least been able to get anonymous reads working with the Web Services in my jQuery Library for SharePoint Web Services (SPServices). That’s a huge set of capabilities right there, but I really wish that the writes worked, too.