Sunday, 20 January 2013

Configure Anonymous Access for SharePoint 2013 site with Javascript Client Object Model

Recently I came across a requirement to enable anonymous access for SharePoint 2013 site. Now, this seems to be a very simple requirement but the twist here was that anonymous access should work with ECMASCRIPT. Had it been server side code, we could have simply executed our code within run with elevated privilleges and thats it. But with javascript, this is not possible. In this blog post I will explain how this can be achieved.

First of all, for anonymous access to work , we need to enable anonymous access at both web application level as well as site collection level.

In central admin, when we are creating a new web application, we get an option to make the web application  available anonymously.

Next thing required is that we need to set up the anonymous access at the site collection level. To do this , we need to go to Site Settings -> Site Permissions. There we find an option for Anonymous Access. Clicking on that will provide us a popup where we can enable anonymous access for the site collection.

The above two steps would have been enough for server side code. But if you are working with Javascript Client Object Model, there are additional things that needs to be done before being able to access a site anonymously.
With JavaScript Client Object Model (JSCOM), the anonymous user gets Microsoft.SharePoint.Client.ApiBlockedException. As a result when user tries to access a site anonymously where something is being fetched based on JSCOM, he will get Access Denied Exception because of the blocked API. The solution for this problem lies hidden in the ClientCallableSettings of the SPWebApplication object. This property controls which API are prohibited in the Client OM. With the help of powershell we can remove these blocked API's from the web application.

If you look at the above powershell script, you will see SPList in AnonymousRestrictedTypes. In Client Object Model, the following API's are restricted in ClientCallableSettings

  • SPSite.GetChanges()
  • SPWeb.GetChanges()
  • SPWeb.GetSubwebsForCurrentUser()
  • SPList.GetChanges()
  • SPList.GetItems()
It is the restriction on GetItems() that prevents the anonymous users from fetching listitems using JSCOM.
Therefore we need to remove this restriction in order to enable anonymous access. Following powershell command will remove this restriction on web application level

By running the above command we can get away with the API restriction on GetItems() in case of Client Object Model.

Now, the next thing that needs to be done is to go to central admin. There go to Application Management  and select Manage Web Applications. Select your web application and click on the Authentication Providers in the ribbon.It will open a dialog box as shown below.

Click on Default link. It will open another dialog box. There you will find an option saying Require Remote Interfaces Permission. Uncheck this checkbox and save.

Now, your site is configured to support anonymous access with Javascript Client Object Model with anonymous users having View Item permission on the list. In case you want to allow anonymous users to perform some POST action as well, like Add an Item to the list , you need to break permission inheritance and give Add Items permission as well to anonymous users.

And this is it. Now anonymous users can GET and POST data to sharepoint site using JSCOM.

Hope this helps !!



  1. I've been struggling with this for over a year on SharePoint online. Any ideas?