BlobCache, Style Library, and anonymous users
As a follow-up to Chris O’Brien’s posts regarding BlobCache and 304s, which can be found here and here, I wanted to clarify the situation as to when you may have 304s.
By default, the Style Library (and Master Pages gallery for that matter) is breaking permission inheritance. However, during its creation, the SPList.AllowEveryoneViewItems property is set to true – thus giving anonymous users access – remember, the list is created before anonymous access is given, this property thus simplifies giving access to everyone during creation.
If you enable anonymous access (i.e.: Entire Web Site) on the root permission, and you access the site anonymously, you will not be prompted for credentials. However, when the BlobCache goes through the list’s permissions, it doesn’t find anonymous access and will not serve the request.
As a result, while the file is saved in the BlobCache directory but not served to the user from that cache, the cache-control Http Header will still contain “private, max-age=0”. At the next user request, the browser will validate its cache against the file on the server and return a 304.
Workaround
The workaround is simple, the first step is to explicitly give anonymous access to the Style Library – either by resetting to inherit from parent or by giving anonymous access. The 2nd step is to clear the BlobCache on all zones and all servers.
The ‘Clear BlobCache’ checkbox in the ‘Object Cache’ page will only clear it for that zone for that server – you should clear it either through the web application property. Changing the BlobCache directory (in the web.config of all servers for all zones) the BlobCache will also work.
While Chris’ last post regarding this did essentially provide the workaround, there was some confusion due to the nature of the tests (which can bring false positive or false negative results if you don’t follow steps rigorously), and the cache clearing that may be inaccurate if you do it on the wrong zone/server.
Final note
If your WCM portal use files from the Style Library (or any other list you created and set the AllowEveryoneViewItems property) and allows anonymous access, make sure you update the list’s permission and clear the BlobCache on all zones/servers. This will allow user to cache the files and reduce the server impact (i.e.: the 304s) considerably. This should be part of your “provide anonymous access” procedure.
A correctly configured BlobCache is essential to a high performing web site.
Comments
Anonymous
August 12, 2009
We have also had this problem with FBA users, not just anonymous users (i.e. we had to explicitly give our FBA users access to the Style Library).Anonymous
August 12, 2009
Right, so the behavior isn't 'anonymous' related -- it's simply the most common scenario. The 2 primary things are:
- the behavior when you set AllowEveryoneViewItems which is honored by the core engine to deliver you the file without authentication -- but the BlobCache relies only on the ACL
- When you change security, you will likely need to clear your cache (on all servers/zones) to ensure that the BlobCache reset its own cache of the ACL.
- Anonymous
August 13, 2009
Hey Maxime, This is a really useful clarification, great work. Good to finally put this one to bed! Although we have to remember to go through these actions, at least we know it is possible to avoid the 304s in what we currently have. Cheers, Chris.