Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Murray Roke 503 posts 966 karma points c-trib
    Sep 17, 2009 @ 06:09
    Murray Roke
    0

    Secure a path with authorization using asp.net authentication (Elmah)

    Hi all,

    Why does this not work in the web.config? (umbraco 4.0.0)

        <location path="elmah.axd">
            <system.web>
                <authorization>
                    <allow roles="Administrator"/>
                    <deny users="*" />
                </authorization>
            </system.web>
        </location>

    I login to the umbraco admin as administrator, but am still denied access to the path specified.

    Is something fundamentally wrong or have I got the role name wrong?

    Cheers.

    Murray.

  • Dirk De Grave 4541 posts 6021 karma points MVP 3x admin c-trib
    Sep 17, 2009 @ 08:49
    Dirk De Grave
    0

    Murray,

    It's a wild guess but worth a shot, right? admin is adminstrator (which is a 'user' type) wheras a member group is to be considered a 'role'. So, do you have a 'Adminstrator' member group?

     

    Cheers,

    /Dirk

  • Aaron Powell 1708 posts 3046 karma points c-trib
    Sep 17, 2009 @ 09:11
    Aaron Powell
    0

    I think the role provider system only works with Members, not Users (back office people). Lee Kelleher wrote a post on how to integrate Elmah with Umbraco (http://blog.leekelleher.com/2009/04/23/integrating-elmah-with-umbraco/) maybe have a read of what he did

  • Murray Roke 503 posts 966 karma points c-trib
    Sep 18, 2009 @ 03:36
    Murray Roke
    0

    Ahh yes, you're both right I'm trying to use 'Users' not 'Members'.

    However I want to use 'Users' ... I don't want admins having 2 accounts (for any reason especially just so they can see error reporting.)

    I tried changing to this:

    <membership defaultProvider="UsersMembershipProvider" ...

    Because I don't have any 'membership' in this case, so I could disable it if that helps. (but not a good soution for any project that does have members)

    But it doesn't seem to work.

    Is there any other way around this?

    Cheers.

    Murray.

  • Murray Roke 503 posts 966 karma points c-trib
    Sep 18, 2009 @ 03:40
    Murray Roke
    0

    P.S. I used Lee Kelleher's blog post to set it all up, but it does not cover security.

  • Paul Sterling 718 posts 1534 karma points MVP 9x admin c-trib
    Sep 18, 2009 @ 06:34
    Paul Sterling
    0

    Murray -

    I know you're dealing with users, but this post may be of help since it ties into the ASP.NET Authorization that you specify in you first post:

    http://our.umbraco.org/forum/developers/extending-umbraco/2923-Authorization-Alternatives-when-Integrating-with-AspNet-Sites

    -Paul

  • Aaron Powell 1708 posts 3046 karma points c-trib
    Sep 18, 2009 @ 14:31
    Aaron Powell
    0

    Have you enabled Remote Access in Elmah config enabled? (I don't know the exact config property, don't have it opened at the moment)

  • Lee Kelleher 4026 posts 15836 karma points MVP 13x admin c-trib
    Sep 18, 2009 @ 15:16
    Lee Kelleher
    0

    As I mentioned to Murray on my blog, I haven't tried to restrict remote access to a specific user/group/role.

    I had a quick play around with the following options in the Web.config - none of them worked for me... but it's worth a try?

    <location path="elmah.axd">
        <system.web>
            <authorization>
                <allow roles="Administrator" />
                <deny users="*" />
            </authorization>
            <membership defaultProvider="UsersMembershipProvider">
                <providers>
                    <clear/>
                    <add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" passwordFormat="Hashed"/>
                </providers>
            </membership>
            <roleManager enabled="true" defaultProvider="UmbracoRoleProvider">
                <providers>
                    <clear/>
                    <add name="UmbracoRoleProvider" type="umbraco.providers.members.UmbracoRoleProvider"/>
                </providers>
            </roleManager>
        </system.web>
    </location>

    Other than that, the best bet is to ask the question the ELMAH support group, or  even StackOverflow to see how you would allow authorisation from a specific user/role in a custom membership provider?

    Meanwhile, if anyone else figures it out... I'd love to know! (I'll update my blog post with the details too)

  • Murray Roke 503 posts 966 karma points c-trib
    Sep 24, 2009 @ 23:02
    Murray Roke
    0

    @slace, yep remote access is enabled.

    as you mentioned earlier I'm guessing my problem is here....it seems the roleProvider generating roles from 'Member Groups' , rather than 'User Types'

        <roleManager enabled="true" defaultProvider="UmbracoRoleProvider">
                <providers>
                    <clear />
                    <add name="UmbracoRoleProvider" type="umbraco.providers.members.UmbracoRoleProvider" />
                </providers>
            </roleManager>

    Is there an equivalvent provider that works by generating roles from 'User Types' ?

    If not I'll give Pauls method a try, or perhaps try write my own RoleProvider.

  • Peter Mason 20 posts 40 karma points
    May 25, 2012 @ 09:26
    Peter Mason
    0

    In case it helps anyone, I will post the steps I used to restrict ELMAH logs to logged in admin "users" and disallow "members", or unauthenticated users from seeing the logs.

    Follow the steps in this article to get ELMAH up and running: http://our.umbraco.org/wiki/how-tos/use-elmah-with-umbraco

    This wiki is good, but it goes off the rails at the end. It says you can restrict ELMAH using ASP.NET authorization. If you want to continue to review the logs in the backend as described in the wiki, then this is simply not true.

    The only way I was effectively able to restrict the ELMAH logs to logged in admin users in the Umbraco backend was to introduce an HTTP Module.

    Create a c# class module, insert the code listing below, compile it and drop it in the Umbraco bin folder, you must also delete the App_global.asax file from the Umbraco bin folder, and register your new module in your web.config file, making an entry for your new module under the httpmodules section AND the modules section.

     

    You will now find you can log in as an admin user in the backend and browse the elmah logs, log out, and then see that elmah.axd is inaccessible in the site root.

     

    using System;

    using System.Web;

    using umbraco.BusinessLogic;


    public class ElmahRedirect : IHttpModule

    {

        public ElmahRedirect()

        {

        }


        public void Init(HttpApplication application)

        {

            application.BeginRequest += (new EventHandler(this.Application_BeginRequest));

        }


        private void Application_BeginRequest(Object source, EventArgs e)

        {

            if (HttpContext.Current.Request.Url.AbsolutePath.ToLowerInvariant().Contains("elmah.axd"))

            {

                User current = User.GetCurrent();

                if (current == null)

                {

                    HttpContext.Current.Response.Redirect("~/a-problem-occurred.aspx");

                }

            }

        }


        void IHttpModule.Dispose()

        {

        }

    }

     

Please Sign in or register to post replies

Write your reply to:

Draft