0

I've recently implemented Elmah error logging. I've created a SQL Server db where the errors are being logged and all is good. I've been trying to secure Elmah so that only the Admin role is allowed to access example.com/elmah. Right now anyone is able to access it.

I have ran through several SO posts, and other blogs online like this, this, and this and I still have not been able to resolve my issue.

This is how I currently have in Elmah setup in my Web.Config:

 <appSettings>
    <add key="elmah.mvc.disableHandler" value="false" />
    <add key="elmah.mvc.disableHandleErrorFilter" value="false" />
    <add key="elmah.mvc.requiresAuthentication" value="false" />
    <add key="elmah.mvc.IgnoreDefaultRoute" value="false" />
    <add key="elmah.mvc.allowedRoles" value="*" />
    <add key="elmah.mvc.allowedUsers" value="*" />
    <add key="elmah.mvc.route" value="elmah" />
    <add key="elmah.mvc.UserAuthCaseSensitive" value="true" />
  </appSettings>

 <system.web>
    <authentication mode="None" />
    <httpModules>
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
    </httpModules>
  </system.web>

<system.webServer>
    <modules>
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
    </modules>
    <validation validateIntegratedModeConfiguration="false" />
  </system.webServer>

  <elmah>
    <errorLog type="Elmah.SqlErrorLog, Elmah" connectionStringName="elmah" applicationName="MyApplication"/>
    <security allowRemoteAccess="yes" />
  </elmah>

  <location path="elmah.axd">
    <system.web>
      <httpHandlers>
        <add verb="POST,GET,HEAD"
             path="elmah.axd"
             type="Elmah.ErrorLogPageFactory, Elmah" />
      </httpHandlers>
      <authorization>
        <allow roles="Admin"/>
        <deny users="*" />
      </authorization>
    </system.web>
    <system.webServer>
      <handlers>
        <add name="ELMAH"
             verb="POST,GET,HEAD"
             path="elmah.axd"
             type="Elmah.ErrorLogPageFactory, Elmah"
             preCondition="integratedMode" />
      </handlers>
    </system.webServer>
  </location>

I have tried playing around with it. Here is what I have tried thus far with no luck:

In <appSettings> I've tried changing the value to Admin like this <add key="elmah.mvc.allowedRoles" value="Admin" /> and then I commented out the next line (allowUsers). That did not work.

In <authorization> I have tried changing it to this to see if it would at least deny everyone, which didn't work:

  <authorization>
    <deny users="*" />
  </authorization>

So then I tried changing the <allow roles="Admin"/> to <allow users="admin"> and that didn't work either. The Admin role exists, and the admin user also exists.

Until I find a solution to this, I have just set <security allowRemoteAccess="yes" /> to <security allowRemoteAccess="no" />

Sorry for the long post, I just want to make sure everything has been included.

I would appreciate any and all help with getting this locked down. :)

Community
  • 1
  • 1
maxshuty
  • 9,708
  • 13
  • 64
  • 77
  • What is your authentication mode set to in web.config? – Eric King Oct 05 '16 at 23:24
  • @EricKing `` I've played around with the different settings there but haven't figured anything out – maxshuty Oct 07 '16 at 15:38
  • 1
    With no authentication set, the authorization won't be able to allow or deny users or roles, since all of your requests will be anonymous. – Eric King Oct 07 '16 at 16:52
  • @EricKing Interesting, I was reading through the different authentication modes, but none of them seem relevant to what I'm trying to do. – maxshuty Oct 11 '16 at 14:53
  • Well, you have to authenticate somehow, or else how can you distinguish one visitor (user) from another, and assign them roles? You say there is an 'admin' user... How does that user log in? – Eric King Oct 11 '16 at 16:27
  • @EricKing I'm using built in Identity – maxshuty Oct 11 '16 at 17:22
  • Have you changed the elmah.mvc.requiresAuthentication setting to true? What works for me is setting that value to true, and setting the elmah.mvc.allowedUsers value to a specific user. I don't even have a 'location' block like you have. – Eric King Oct 12 '16 at 18:33
  • @EricKing I'll give that a shot and update here when I'm done. Thanks – maxshuty Oct 12 '16 at 18:36

0 Answers0