Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to secure Elmah.axd in Web Api project #18

Open
ammar91 opened this issue Mar 25, 2015 · 7 comments
Open

How to secure Elmah.axd in Web Api project #18

ammar91 opened this issue Mar 25, 2015 · 7 comments

Comments

@ammar91
Copy link

ammar91 commented Mar 25, 2015

Hi,

The package works great with Web API and it successfully able to log all unhandled exception to Elmah. however little worry about securing Elmah.axd though. I am using Asp.Net Identity Token Bearer authentication for making API calls, so the default security mechanism not be valid in my case. Any idea how could I secure in my case, I want to allow this only to a user who has admin role. Please suggest
@brutaldev
Copy link
Contributor

The Elmah documentation already has everything you need to secure the Elmah.axd page using the web.config: https://code.google.com/p/elmah/wiki/SecuringErrorLogPages

If you are using a pure Web API project then you should also ignore .axd routes. Put this in your startup configuration before you configure Web API or use OWIN UseWebApi or any other authentication setup.

RouteTable.Routes.Ignore("{resource}.axd/{*everything}");

@vhugogarcia
Copy link

The solution @brutaldev mentioned is not working on WebAPI 2.2.

do you know if there is a workaround for this?

Note: I'm using my own subdomain restapi.domain.com so my WebApiConfig.cs looks like this:

config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );

@brutaldev
Copy link
Contributor

@vhugogarcia The sugggestion does work with Web API 2.2 (5.2.3), you fist need to ignore .axd routes then secure it however you want by following the official documentation.

In your case you need to ignore .axd routes before your normal mappings using config. Your code looks generated for a MVC/Web API mixed project where my example was for a OWIN based configuration.

Use config.Routes.Ignore("{resource}.axd/{*everything}"); before the call to map your default route.

The issue on how to secure the page though, which can do normally through web.config once you get elmah.axd to bypass the OWIN pipeline.

@vhugogarcia
Copy link

right, to secure the resource .axd I made it via web.config on:

<security allowRemoteAccess="false" />

But, I cannot access it from my local instance the /elmah.axd it keeps returning:

{"message":"No HTTP resource was found that matches the request URI 'http://services.domain.com/elmah.axd'."}

Find below the full code of my WebApiConfig file:

public static void Register(HttpConfiguration config)
        {
            // Web API configuration and services
            // Locally only you will be able to see the exception errors
            config.IncludeErrorDetailPolicy = IncludeErrorDetailPolicy.Never;

            // Web API routes
            config.MapHttpAttributeRoutes();

            var jsonFormatter = config.Formatters.OfType<JsonMediaTypeFormatter>().First();
            jsonFormatter.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();

            // Remove the XMl formatter
            config.Formatters.Remove(config.Formatters.XmlFormatter);

            config.Routes.IgnoreRoute("elmah", "{resource}.axd/{*everything}");

            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
        }

and the Global.asax

protected void Application_Start()
        {
            GlobalConfiguration.Configure(WebApiConfig.Register);

        }

@brutaldev
Copy link
Contributor

Wrong place. You need to ignore routes before you setup anything else regarding routes, the order of execution is important.

You are calling config.MapHttpAttributeRoutes(); before you ignore, which will give attribute routes priority. Move the ignore call above that and it should work.

Again, this is not the right place to get implementation help like this (StackOverflow probably is), the issue is regarding the securing of the Elmah page, not how to get it to display in the first place.

@brutaldev
Copy link
Contributor

Another thing, allowRemoteAccess will need to be true if you are accessing the Elmah page from anything other than localhost. When you set this to false you will get a 404 or the missing route message you are seeing when accessing it from http://services.domain.com for example.

@vhugogarcia
Copy link

Thanks @brutaldev

I created a topic into Stackoverflow to follow there the implementation as you suggested.

http://stackoverflow.com/questions/30987439/elmah-axd-on-webapi-2-2-no-http-resource-was-found

Would you mind take a look there please?

thanks in advance.

btw, I moved up what you suggested and did not work neither. Also setup to true allowing access temporary to ensure it works just fine, but no luck neither.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vhugogarcia @brutaldev @ammar91