Securing Elmah in ASP.NET website
I am having trouble trying to secure ELMAH. I have followed Phil Haacked's tutorial, with the only difference being the demo project is a web application and my project is a website.
<add verb="POST,GET,HEAD" path="/admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
<location path="admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
With the leading "/" I receive the response that "The resource cannot be found.", if I remove the leading "/" everything works fine except authentication can be bypassed by appending a directory name in front of /admin/elmah.axd.
For example without the leading "/"
www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - does not trigger the authentication and displays ELMAH
How can I ensure that ELMAH is secure while maintaining the ability to remotely view the log?
Thanks.
Note to others:
Following Alan's answer below results in the following.
www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/admin/asdasdasd/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - The resource cannot be found. (exactly what we wanted)
Answer
I played around with the web.config and got the following to work. Basically instead of putting the elmah.axd HttpHandler in the general system.web, add it specifically in the system.web of your "admin" path location.
<location path="admin">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd"
type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>