JSOM for anonymous users

Question

I am writing a public facing web site in sharepoint 2010 and using JSOM to access data from lists, Things are working and now trying to deploy on production server, server has strict security settings for anonymous users and anonymous users have no access to _vti/_bin folder.

Breaks everything.

Following article says it is not a good idea to use JSOM for public facing web site.http://blogs.msdn.com/b/kaevans/archive/2013/10/24/what-every-developer-needs-to-know-about-sharepoint-apps-csom-and-anonymous-publishing-sites.aspx

Is there any way to get around this issue, or I have to rewrite whole application?

I could not find any reason to block _vti_btn folder, an article is availble on MSDN but that targets sharepoint 2007 only, nothing for sharepoint 2010.

I have checked in developer tool bar that client.svc and sites.asmx are used to read items from the list, I will try to convince my client to block whole folder except these 2 services, another important thing I have found is that these services can only be used from my sharepoint application, user cannot read list information by typing url in the browser.

Answer 1

Create a custom web service that allows for anonymous access.

The client connects to the custom web service, which handles pulling the data from SharePoint. The web service runs on a non-SP server and uses its own credentials to connect to SharePoint. It then passes the data back to the client, where it can process similarly as it would have with JSOM.

Answer 2

One very common workaround I see is that you use an authenticated user to pull the Request that you need, then write it to a document library that allows anonymous access. Because most SP does not accept .json as a file type, just save it as response.txt

Then, in your public site, anonymously read from that document library:

$.ajax({ url: "/documents/response.txt", dataType: "json", method: "GET", cache: false })

This will return you exactly what the rest call to _vti_bin would do. Which allows your existing logic to run.

If you want to, schedule a workflow or powershell to generate the txt file daily so it's up to date.

Answer 3

In such situations, the only viable (i.e. open to evolutions) approach would be to deploy an applicative page (or Web service) in _layouts via a WSP. That is, a WSP with server-side code. That page/Web service would hold all the logic/intelligence/business (with elevation if needed, or as the anonymous user to preserve security, but at least you'll be allowed to do what ever an anonymous user is allowed to do), and your client code would only call it to get everyhting served on a silver platter.

Any other way would be a very short-term fix, with a lot of side-effects/latencies/etc.

Answer 4

I agree with the above answer, you could save your js or css files into library (as Style Library) which could be published to everyone and even anonymous users. You just need to configure this library for anonymous access. You can keep all the architecture of your app, and just to modify the link of referenced files.