How do I secure Elmah on ASP.Net MVC 4 with Windows Integrated Security : Elmah ignores my settings

asp.net .net asp.net-mvc security elmah
10,012

Solution 1

If you use Elmah.Mvc they have quite fine grained security settings. You can easily secure the elmah page to only be available to logged in users in the Admin group for instance.

Elmah.Mvc supports the following items in <appSettings>

<appSettings>
    <!-- ELMAH configuration. Admin page only available for logged in users in 
         the Admin role. -->
    <add key="elmah.mvc.disableHandler" value="false" />
    <add key="elmah.mvc.disableHandleErrorFilter" value="false" />
    <add key="elmah.mvc.requiresAuthentication" value="true" />
    <add key="elmah.mvc.allowedRoles" value="Admin" />
    <add key="elmah.mvc.route" value="elmah" />
</appSettings>

The keys of interest are elmah.mvc.requiresAuthentication which switches on the user needing to be logged in. And elmah.mvc.allowedRoles which specifies which role the user must be in.

You can install Elmah.Mvc from nuget.

Solution 2

The above answer worked great, once I found out how to determine the Role when using Windows Authentication:

Open a command window and enter the following command:

cmd /k net user <user> /Domain

For <user>, substitute your user name. The command will list the groups you belong to.

The instructions came from "How to Create an Intranet Site Using ASP.NET MVC" at http://msdn.microsoft.com/en-us/library/gg703322(VS.98).aspx

Share:
10,012
Twisted
Author by

Twisted

Updated on June 15, 2022

Comments

  • Twisted
    Twisted almost 2 years

    I've added elmah to an asp.net mvc 4 application. Logging is working and now I am trying to configure security but elmah is not picking up the settings and the logs remain visible by all users.

    This is an intranet app and as such we are using windows integrated secuirty. I am trying to restrict access so that only members of the domain\log_readers ad group can read the logs.

    I've read the setup guide here: http://code.google.com/p/elmah/wiki/SecuringErrorLogPages and I've also read several posts on SO and other formums which has led me to add the roleManager and WindowsRoleProvider configuration, all to no avail.

    Here are the elmah parts of my web.config: 

    <elmah>
<!--
    See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for 
    more information on remote access and securing ELMAH.
-->
<security allowRemoteAccess="true" />
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/Logs" />  
</elmah>
<location path="elmah.axd" inheritInChildApplications="false">
<system.web>
  <authentication mode="Windows" />

  <roleManager defaultProvider="WindowsProvider"
      enabled="true" cacheRolesInCookie="false">
    <providers>
      <add
        name="WindowsProvider"
        type="System.Web.Security.WindowsTokenRoleProvider" />
    </providers>
  </roleManager>
  <httpHandlers>
    <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
  </httpHandlers>
  <!-- 
    See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for 
    more information on using ASP.NET authorization securing ELMAH.
  -->
  <authorization>
    <allow roles="domain\log_readers"/>
    <deny users="*" />
  </authorization>

</system.web>
<system.webServer>
  <handlers>
    <add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
  </handlers>
</system.webServer>
</location>

    I have also tried a complete lock down by setting my autorisation config to deny everyone

    <authorization>
<deny users="*" />
</authorization>

    and also 

    <authorization>
<deny users="?" />
</authorization>

    The logs remain open to everyone.

    I suspect the problem may be with the location. I've made no changes to the elmah location. It is accessed from default location (http://server/myapp/elmah)

  • Twisted
    Twisted over 11 years
    I have elmah.mvc installed I'll give that a try. Are those settings in addition or instead of the ones I have already set up
  • Jack Hughes
    Jack Hughes over 11 years
    If you installed Elmah.Mvc through nuget it should have added the above to your web.config automatically. The above settings are instead of the ones you've already configured.
  • Brian Cauthon
    Brian Cauthon over 10 years
    If you are using windows auth, you need to include the domain (case sensitive) for elmah.mvc.allowedUsers to work properly. Prior versions of elmah didn't require the domain.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

stopping ZmEu attacks with ASP.NET MVC
Building an ASP.NET MVC Master Page Menu Dynamically, Based on the current User's "Role"
How can I safely set the user principal in a custom WebAPI HttpMessageHandler?
System.Web.MVC not copied into bin folder since MS14-059. How to protect against creating builds with missing DLLs as a result of Windows Updates?
AngularJS Ui-Router with ASP.Net MVC RouteConfig. How does it work?
ASP.Net Authentication using <credentials> in web.config
How to declare a global variable in ASP.NET MVC page
How set a Session variable expired time on MVC 5?
Alternative to using the OnLoad event in an ASP.Net MVC View?
How to get User.Identity.Name from a controller?