tags:

views:

446

answers:

3
+1  Q: 

Secure ELMAH in asp.net application that doesn't use forms authentication

I have a very basic asp.net application that relies on a master page's INIT event to verify the user via a session object. Yes, I know this is way-suboptimal.

I'd like to add ELMAH to it, but can't find any references to securing the console without using forms authentication and a web.config allow/deny setting.

Is there another way to secure the elmah.axd file that doesn't rely on forms authentication?

A: 

Out of the box, remote access is disabled so you can only access the error logs from the local machine. There's more here: http://code.google.com/p/elmah/wiki/SecuringErrorLogPages

friism  2009-05-06 08:16:33
+1  A: 

This article describes how to wrap the Elmah error handler in another event handler that allows access to session state:

http://groups.google.com/group/elmah/msg/a0aa776d348ba97e

In Global.asax, you could then have something like the following:

protected void Application_PreRequestHandlerExecute(Object sender, EventArgs e)
{
    // Get the filename being requested
    string filename = Path.GetFileName(Request.Path).ToLower();

    // Verify that a user is logged in by checking the session
    bool isValid = (HttpContext.Current.Session["User"] != null);

    // Throw error if invalid
    if (filename == "elmah.axd" && !isValid)
        throw new SecurityException("Access to elmah.axd is denied");
}

The standard Elmah handler doesn't implement IRequiresSessionState or IReadOnlySessionState, so you'll have to create another event handler to wrap this, as described in the link mentioned above. Otherwise, you won't be able to access the session in the Application_PreRequestHandlerExecute event.

Mun  2010-03-19 18:23:47
+1  A: 

I am one of the developers for ELMAH's MySQL support. The allow/deny options are not web form specific. They can work with any provider.

  1. To impliment a custom one you would need to use the IPrincipal interface.
  2. The roles from allow/deny roles are pulled from this IsInRole method of IPrincipal.

  3. On the Request_Authentication in your global.asax or your own IHttpHandler you would need to create and set the IPrincipal object to the Context.User object. Something like this:

    private void Request_Authenticate (object sender, EventArgs e) {
    // do checks and create IPrincipal object
    IPrincipal user = new MyPrincipal(...);
    Context.User = user;
}

  4. Then when the roles are checked for your elmah.axd handler it would go against this custom object instead of the web forms.

Nick Berardi  2010-03-19 18:33:10

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps