在ASP.NET网站保护ELMAH [英] Securing Elmah in ASP.NET website

问题描述

我有麻烦试图保护ELMAH。我跟菲尔Haacked的<一个href="http://haacked.com/archive/2007/07/24/securely-implement-elmah-for-plug-and-play-error-logging.aspx">tutorial,唯一的区别是该示范项目是一个Web应用程序，我的项目是一个网站。

I am having trouble trying to secure ELMAH. I have followed Phil Haacked's tutorial, with the only difference being the demo project is a web application and my project is a website.

   <add verb="POST,GET,HEAD" path="/admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />

   <location path="admin">
        <system.web>  
            <authorization>  
    	        <deny users="?"/>  
            </authorization>  
        </system.web> 
    </location>

通过领先的/我收到的响应的资源不能被发现。如果我删除了领先的/一切正常，除了验证可通过在/管理员前面追加一个目录名被绕过/ elmah.axd。

With the leading "/" I receive the response that "The resource cannot be found.", if I remove the leading "/" everything works fine except authentication can be bypassed by appending a directory name in front of /admin/elmah.axd.

例如没有前导/

www.mysite.com/admin/elmah.axd - 触发认证
www.mysite.com/asdasdasd/admin/elmah.axd - 不会触发认证，并显示ELMAH

www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - does not trigger the authentication and displays ELMAH

我如何确保ELMAH是安全的，同时保持远程查看日志的能力？

How can I ensure that ELMAH is secure while maintaining the ability to remotely view the log?

感谢。

请注意他人的事：
按照下面的，有如下阿兰的回答。

Note to others:
Following Alan's answer below results in the following.

www.mysite.com/admin/elmah.axd - 触发认证
www.mysite.com/admin/asdasdasd/elmah.axd - 触发认证
www.mysite.com/asdasdasd/admin/elmah.axd - 资源无法找到。 （正是我们想要的）

www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/admin/asdasdasd/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - The resource cannot be found. (exactly what we wanted)

推荐答案

我研究了一下web.config中，得到了以下工作。而不是把elmah.axd的HttpHandler在一般的System.Web基本上，特别是在你的admin的路径位置的System.Web程序添加它。

I played around with the web.config and got the following to work. Basically instead of putting the elmah.axd HttpHandler in the general system.web, add it specifically in the system.web of your "admin" path location.

<location path="admin">
    <system.web>
        <httpHandlers>
            <add verb="POST,GET,HEAD" path="elmah.axd"
                 type="Elmah.ErrorLogPageFactory, Elmah" />
        </httpHandlers>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>

这篇关于在ASP.NET网站保护ELMAH的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！