How do I secure Elmah on ASP.Net MVC 4 with Windows Integrated Security : Elmah ignores my settings
Solution 1
If you use Elmah.Mvc they have quite fine grained security settings. You can easily secure the elmah page to only be available to logged in users in the Admin group for instance.
Elmah.Mvc supports the following items in <appSettings>
<appSettings>
<!-- ELMAH configuration. Admin page only available for logged in users in
the Admin role. -->
<add key="elmah.mvc.disableHandler" value="false" />
<add key="elmah.mvc.disableHandleErrorFilter" value="false" />
<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.allowedRoles" value="Admin" />
<add key="elmah.mvc.route" value="elmah" />
</appSettings>
The keys of interest are elmah.mvc.requiresAuthentication
which switches on the user needing to be logged in. And elmah.mvc.allowedRoles
which specifies which role the user must be in.
You can install Elmah.Mvc from nuget.
Solution 2
The above answer worked great, once I found out how to determine the Role when using Windows Authentication:
Open a command window and enter the following command:
cmd /k net user <user> /Domain
For <user>
, substitute your user name. The command will list the groups you belong to.
The instructions came from "How to Create an Intranet Site Using ASP.NET MVC" at http://msdn.microsoft.com/en-us/library/gg703322(VS.98).aspx
Twisted
Updated on June 15, 2022Comments
-
Twisted almost 2 years
I've added elmah to an asp.net mvc 4 application. Logging is working and now I am trying to configure security but elmah is not picking up the settings and the logs remain visible by all users.
This is an intranet app and as such we are using windows integrated secuirty. I am trying to restrict access so that only members of the domain\log_readers ad group can read the logs.
I've read the setup guide here: http://code.google.com/p/elmah/wiki/SecuringErrorLogPages and I've also read several posts on SO and other formums which has led me to add the roleManager and WindowsRoleProvider configuration, all to no avail.
Here are the elmah parts of my web.config:
<elmah> <!-- See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for more information on remote access and securing ELMAH. --> <security allowRemoteAccess="true" /> <errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/Logs" /> </elmah> <location path="elmah.axd" inheritInChildApplications="false"> <system.web> <authentication mode="Windows" /> <roleManager defaultProvider="WindowsProvider" enabled="true" cacheRolesInCookie="false"> <providers> <add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" /> </providers> </roleManager> <httpHandlers> <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" /> </httpHandlers> <!-- See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for more information on using ASP.NET authorization securing ELMAH. --> <authorization> <allow roles="domain\log_readers"/> <deny users="*" /> </authorization> </system.web> <system.webServer> <handlers> <add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" /> </handlers> </system.webServer> </location>
I have also tried a complete lock down by setting my autorisation config to deny everyone
<authorization> <deny users="*" /> </authorization>
and also
<authorization> <deny users="?" /> </authorization>
The logs remain open to everyone.
I suspect the problem may be with the location. I've made no changes to the elmah location. It is accessed from default location (http://server/myapp/elmah)
-
Twisted over 11 yearsI have elmah.mvc installed I'll give that a try. Are those settings in addition or instead of the ones I have already set up
-
Jack Hughes over 11 yearsIf you installed Elmah.Mvc through nuget it should have added the above to your web.config automatically. The above settings are instead of the ones you've already configured.
-
Brian Cauthon over 10 yearsIf you are using windows auth, you need to include the domain (case sensitive) for
elmah.mvc.allowedUsers
to work properly. Prior versions of elmah didn't require the domain.