Securing Elmah in ASP.NET website Securing Elmah in ASP.NET website asp.net asp.net

Securing Elmah in ASP.NET website


.net asp.net web-config elmah

I played around with the web.config and got the following to work. Basically instead of putting the elmah.axd HttpHandler in the general system.web, add it specifically in the system.web of your "admin" path location.

<location path="admin">    <system.web>        <httpHandlers>            <add verb="POST,GET,HEAD" path="elmah.axd"                 type="Elmah.ErrorLogPageFactory, Elmah" />        </httpHandlers>        <authorization>            <deny users="?"/>        </authorization>    </system.web></location>

.net asp.net web-config elmah

If you are using ASP.NET MVC, you're going to need to have the routing engine ignore that path. If you want to move elmah to /admin/elmah.axd for instance you should add the following to Global.asax.cs:

routes.IgnoreRoute("admin/elmah.axd/{*pathInfo}");

.net asp.net web-config elmah

Having spent a while trying to get this to work by patching together the various bits of advice from each of the answers, I've put together a complete solution that should work for all flavours of IIS.

Here's what needs to be in each of your web.config sections:

<configuration>  <configSections>    <sectionGroup name="elmah">      <section name="security" requirePermission="false" type="Elmah.SecuritySectionHandler, Elmah" />      <section name="errorLog" requirePermission="false" type="Elmah.ErrorLogSectionHandler, Elmah" />      <section name="errorMail" requirePermission="false" type="Elmah.ErrorMailSectionHandler, Elmah" />      <section name="errorFilter" requirePermission="false" type="Elmah.ErrorFilterSectionHandler, Elmah" />    </sectionGroup>  </configSections>  <elmah>    <!-- set allowRemoteAccess="0" for extra security -->    <security allowRemoteAccess="1"/>  </elmah>  <system.web>    <httpModules>      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />    </httpModules>  </system.web>  <system.webServer>    <modules runAllManagedModulesForAllRequests="true">      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />    </modules>  </system.webServer>  <location path="admin">    <system.web>      <authorization>        <!--<allow users="Admin" /> -->        <deny users="?" />      </authorization>      <httpHandlers>        <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />      </httpHandlers>    </system.web>    <system.webServer>      <handlers>        <add name="Elmah" path="elmah.axd" verb="POST,GET,HEAD" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />      </handlers>    </system.webServer>  </location></configuration>

And if you're using Asp.Net MVC, add

routes.IgnoreRoute("admin/elmah.axd/{*pathInfo}");

in your RegisterRoutes method.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last