How to secure Elmah working with ASP.NET and IIS 5.1 URL Routing

Question

This question builds on the following question: How to get Elmah working with ASP.NET and IIS 5.1 URL Routing

The solution suggested there worked, as long as elmah.axd is off of the root of the site. What if you want to secure the site as blogged here: Securely Implement ELMAH For Plug And Play Error Logging?

Moving elmah.axd to /admin/elmah.axd breaks the Fix IIS 5x Wildcard Mapping Module.

My workaround was just to secure "elmah.axd" instead of "admin," like:

<location path="elmah.axd">
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</location>

Although this works, I feel that there's got to be a more elegant solution. Any thoughts?

Answer 1

That's the same solution I use in my projects. Anything else more "elegant" would be a lot more complicated and unnecessary.

It does the trick and is simple, I'd keep it like that if I was you :-)

Answer 2

You can also rename elmah.axd to something less obvious. The name is configurable in your web.config.

Answer 3

To add to @Todd Smith's answer:

If you want to rename your elmah.axd, all you need to do is to change the name in the handler.

<add name="Elmah" path="ANY_NAME_YOU_LIKE.axd" verb="POST,GET,HEAD" type="Elmah.ErrorLogPageFactory, Elmah"/>