How do I secure Elmah on ASP.Net MVC 4 with Windows Integrated Security : Elmah ignores my settings
I've added elmah to an asp.net mvc 4 application. Logging is working and now I am trying to configure security but elmah is not picking up the settings and the logs remain visible by all users.
This is an intranet app and as such we are using windows integrated secuirty. I am trying to restrict access so that only members of the domain\log_readers ad group can read the logs.
I've read the setup guide here: http://code.google.com/p/elmah/wiki/SecuringErrorLogPages and I've also read several posts on SO and other formums which has led me to add the roleManager and WindowsRoleProvider configuration, all to no avail.
Here are the elmah parts of my web.config:
<elmah>
<!--
See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for
more information on remote access and securing ELMAH.
-->
<security allowRemoteAccess="true" />
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/Logs" />
</elmah>
<location path="elmah.axd" inheritInChildApplications="false">
<system.web>
<authentication mode="Windows" />
<roleManager defaultProvider="WindowsProvider"
enabled="true" cacheRolesInCookie="false">
<providers>
<add
name="WindowsProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<!--
See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for
more information on using ASP.NET authorization securing ELMAH.
-->
<authorization>
<allow roles="domain\log_readers"/>
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
</handlers>
</system.webServer>
</location>
I have also tried a complete lock down by setting my autorisation config to deny everyone
<authorization>
<deny users="*" />
</authorization>
and also
<authorization>
<deny users="?" />
</authorization>
The logs remain open to everyone.
I suspect the problem may be with the location. I've made no changes to the elmah location. It is accessed from default location (http://server/myapp/elmah)
Answer
If you use Elmah.Mvc they have quite fine grained security settings. You can easily secure the elmah page to only be available to logged in users in the Admin group for instance.
Elmah.Mvc supports the following items in <appSettings>
<appSettings>
<!-- ELMAH configuration. Admin page only available for logged in users in
the Admin role. -->
<add key="elmah.mvc.disableHandler" value="false" />
<add key="elmah.mvc.disableHandleErrorFilter" value="false" />
<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.allowedRoles" value="Admin" />
<add key="elmah.mvc.route" value="elmah" />
</appSettings>
The keys of interest are elmah.mvc.requiresAuthentication which switches on the user needing to be logged in. And elmah.mvc.allowedRoles which specifies which role the user must be in.
You can install Elmah.Mvc from nuget.