3

I am using Elmah (Error Logging Modules And Handlers) with Asp.net web forms application. I have enabled Elmah for remote access.

Is it possible for Elmah to password protect like windows authentication, keeping web forms application anonymously accessible?

Tim S. Van Haren
  • 8,861
  • 2
  • 30
  • 34
Nexus23
  • 6,195
  • 9
  • 50
  • 67
  • Do you have Roles implemented? Also, you'll want to get this locked down quick. Elmah errors can expose sensitive details about how your site works. – MikeSmithDev Jan 07 '13 at 15:50
  • @MikeSmithDev, No, haven't implemented roles yet, nor wanna use .net Membership providers because web application is anonymously accessible through default windows authentication (which is default settings for a web project). – Nexus23 Jan 07 '13 at 15:53

2 Answers2

1

You can secure Elmah by adding the allowed users in your web.config:

<location path="elmah.axd" inheritInChildApplications="false">
    <system.web>
       <authorization>   
         <allow users="YOUR-WINDOWS-USERNAME" />
         <deny users="*" />
       </authorization>
    </system.web>

    ...other config settings
</location>

Assuming you are using Windows authentication

<authentication mode="Windows">
MikeSmithDev
  • 15,731
  • 4
  • 58
  • 89
1

Following solution is working for window "Roles". But direct access to users isn't working.

  <location path="admin" >
    <system.web>
      <httpHandlers>
        <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
      </httpHandlers>
      <authorization>
        <allow roles="WindowsGroupName" />
        <deny users="*" />  
      </authorization>
    </system.web>
  </location>

Note: Elmah is also secured by serving through root/admin/elmah.axd as instructed by Phil Haack.

Nexus23
  • 6,195
  • 9
  • 50
  • 67
  • The domain might be needed in addition to the username in my example, as in DOMAIN\USERNAME – MikeSmithDev Jan 07 '13 at 18:59
  • 1
    @MikeSmithDev, I tried living within same domain, but not sure if Elmah is designed to work with users. Have you found any source on Internet or ever tried yourself to concrete your solution? I have seen roles anywhere Elmah is explained to allow remote access. – Nexus23 Jan 07 '13 at 21:41
  • I tested locally and it worked. Although on my live server I use roles (and not windows auth), and I didn't test live. Seeing that you got it working with roles, you've got my +1. – MikeSmithDev Jan 07 '13 at 21:44
  • Also seems like another SO post got it working with users: http://stackoverflow.com/questions/7005389/how-to-provide-only-access-for-elmah-axd-for-administrator-login-in-web – MikeSmithDev Jan 07 '13 at 21:53
  • @MikeSmithDev, I saw this example before, however, solution suggests to implement BeginRequest() method because users and roles are in database not windows. I was trying to authenticate users created on web server using Windows Authentication. Still looking for Elmah success story based on Windows Users. – Nexus23 Jan 07 '13 at 23:07
  • I was able to successfully secure Elmah using "allow users" and Windows Authentication on a remote server using the code in my answer. – MikeSmithDev Jan 08 '13 at 15:15
  • The BeginRequest() update in that other answer was meant for the guy using a session to track users, because neither "roles" nor "users" would work for him. It doesn't apply to my answer. – MikeSmithDev Jan 08 '13 at 18:18
  • @MikeSmithDev, thanks for confirming the "Users" option. On my side, when I switch to users and try to access elmah, it asks the user/password dialog, but entering the user and password doesn't show Elmah screen, it keeps on popping the same user/password dialogue again and again. With everything set same, if I switch to allow roles, it works. I was thinking it might be to do with user permissions on server. Under which group the user you have tried ,exits, is it "Users". I have tried both with "Users" and "IIS_WPG". You've got my +1 now as well :) – Nexus23 Jan 09 '13 at 13:01
  • It did something similar (popping up same dialog) to me if I put in invalid username/password. If I put in correct one, but the user didn't have access, I'd get unauthorized access error. Otherwise, I could get access. – MikeSmithDev Jan 09 '13 at 16:08
  • This may be relevant for you: http://stackoverflow.com/questions/14120734/does-an-iis-7-5-web-app-with-windows-authentication-require-end-users-to-have-fi – MikeSmithDev Jan 11 '13 at 21:30