Custom Security For ashx Handler
In my WCF web service I have a custom ashx handler. It is designed so that a person can call the web service and get a dynamic link to download a file.
So, an IIS server which is serving up a page to a client calls the web service. This generates the link. The link can be handed to the client machine (i.e. they will be running a web browser) and their browser can open the link. The link will be to the ashx handler, and the result will be that the file gets downloaded.
For the WCF service over all it is using windows authentication because the service is not public, but I want to allow anonymous authentication for the ashx handler because that could be called from any number of client machines.
I'd recommend moving the ashx handler and file download functionality to a separate application root so that you can configure it with anonymous access. Decoupling the web service from the file download service would also let the two live on different servers, potentially solving firewall issues that you may encounter later if the download service needs to be accessed externally but you need to keep the web service private.