Disable security for a HttpHandler in IIS7

I have created a custom http handler (IHttpHandler). This handler can be called from any place in the application.

eg: domain.com/file.handlerExtension or it can be domain.com/folder/file.ha开发者_开发知识库ndlerExtension

I have security on my application, but this handler should be available to anonymous users also. Because of this approach it is a mess to create a location element in web config for every posible location from where the handler can be called.

Is there a way to remove check of Authentication and Authorization on a specific resource or Handler in IIS7?

As far as I know - No - this is handled as an HttpModule (if not using iis authentication) - the application configuration defines urls to protect. The only hope may be to hack it so it thinks the user is already authenticated (not even sure if it would work) prior to the Authentication httpModules running which would mean changing processing order. and even then you would have to have some logic built in to say 'force authentication for a request to THIS uri'

MVC's security handling is a bit better IMHO as you can simply use attributes on your controllers or methods to define security and in that case your app would simply remain anonymous for those request.