Securing Elmah in ASP.NET website

对着背影说爱祢 提交于 2019-12-17 17:18:59

问题


I am having trouble trying to secure ELMAH. I have followed Phil Haacked's tutorial, with the only difference being the demo project is a web application and my project is a website.

   <add verb="POST,GET,HEAD" path="/admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />

   <location path="admin">
        <system.web>  
            <authorization>  
                <deny users="?"/>  
            </authorization>  
        </system.web> 
    </location>

With the leading "/" I receive the response that "The resource cannot be found.", if I remove the leading "/" everything works fine except authentication can be bypassed by appending a directory name in front of /admin/elmah.axd.

For example without the leading "/"

www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - does not trigger the authentication and displays ELMAH

How can I ensure that ELMAH is secure while maintaining the ability to remotely view the log?

Thanks.

Note to others:
Following Alan's answer below results in the following.

www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/admin/asdasdasd/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - The resource cannot be found. (exactly what we wanted)


回答1:


I played around with the web.config and got the following to work. Basically instead of putting the elmah.axd HttpHandler in the general system.web, add it specifically in the system.web of your "admin" path location.

<location path="admin">
    <system.web>
        <httpHandlers>
            <add verb="POST,GET,HEAD" path="elmah.axd"
                 type="Elmah.ErrorLogPageFactory, Elmah" />
        </httpHandlers>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>



回答2:


If you are using ASP.NET MVC, you're going to need to have the routing engine ignore that path. If you want to move elmah to /admin/elmah.axd for instance you should add the following to Global.asax.cs:

routes.IgnoreRoute("admin/elmah.axd/{*pathInfo}");



回答3:


Having spent a while trying to get this to work by patching together the various bits of advice from each of the answers, I've put together a complete solution that should work for all flavours of IIS.

Here's what needs to be in each of your web.config sections:

<configuration>
  <configSections>
    <sectionGroup name="elmah">
      <section name="security" requirePermission="false" type="Elmah.SecuritySectionHandler, Elmah" />
      <section name="errorLog" requirePermission="false" type="Elmah.ErrorLogSectionHandler, Elmah" />
      <section name="errorMail" requirePermission="false" type="Elmah.ErrorMailSectionHandler, Elmah" />
      <section name="errorFilter" requirePermission="false" type="Elmah.ErrorFilterSectionHandler, Elmah" />
    </sectionGroup>
  </configSections>

  <elmah>
    <!-- set allowRemoteAccess="0" for extra security -->
    <security allowRemoteAccess="1"/>
  </elmah>

  <system.web>
    <httpModules>
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
    </httpModules>
  </system.web>

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
    </modules>
  </system.webServer>

  <location path="admin">
    <system.web>
      <authorization>
        <!--<allow users="Admin" /> -->
        <deny users="?" />
      </authorization>
      <httpHandlers>
        <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
      </httpHandlers>
    </system.web>
    <system.webServer>
      <handlers>
        <add name="Elmah" path="elmah.axd" verb="POST,GET,HEAD" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
      </handlers>
    </system.webServer>
  </location>

</configuration>

And if you're using Asp.Net MVC, add

routes.IgnoreRoute("admin/elmah.axd/{*pathInfo}");

in your RegisterRoutes method.




回答4:


In IIS 7.5 windows server 2008, there is another section called system.webServer. In order for ELMAH to work, this had to be added:

<system.webServer>
  <handlers>
   <add name="Elmah" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" /> 
  </handlers>
</system.webServer>

I've tried a few variances, but I am unable to use the above solution for preventing '/blah/elmah.axd' from working.

Any Suggestions on making the above solution work for IIS 7.x?

Thanks.



来源:https://stackoverflow.com/questions/1245364/securing-elmah-in-asp-net-website

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!