Search code examples
asp.net-mvcasp.net-mvc-4elmahelmah.mvc

Securing ELMAH in ADFS Claims aware MVC 4 app using elmah.mvc.allowedRoles AppSettings


ELMAH for MVC support following appsettings configurations

elmah.mvc.allowedRoles
elmah.mvc.allowedUsers

to secure the elmah route path using roles/users. Apparently, it works fine for windows or forms authentications. But I couldn't make it working for the claim based authentication.

Does anyone have experience with this?


Solution

  • I do this in web config

    <elmah>
       <security allowRemoteAccess="true" />
       <errorLog type="Elmah.SqlErrorLog, Elmah" connectionStringName="elmah-sqlserver" applicationName="Eers.Web"/>
    </elmah>
    

    and further down

     <location path="elmah">
        <system.web>
          <authorization>       
            <allow users="*"/>
          </authorization>
        </system.web>
      </location>
      <location path="elmah.axd" inheritInChildApplications="false">
        <system.web>
          <httpHandlers>
            <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
          </httpHandlers>
        </system.web>
        <system.webServer>
          <handlers>
            <add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
          </handlers>
        </system.webServer>
      </location>
    

    If you take note of the node it works just like any other security in MVC. It does not work with Claims though. for that You will have to write an Action filter

      <authorization>       
         <allow users="*"/>
      </authorization>
    

    Here is my Actionfilter

     public class ElmahRequestAuthorizationFilter : AuthorizeAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
    
            if (filterContext.IsChildAction) return;
    
            var controller = filterContext.RouteData.Values["controller"] as string;
    
            if (controller != null && controller.ToLowerInvariant() != "elmah") return;
    
            var authenticationComponent = GetAuthenticationInfo() // A method that will return us roles;
    
            var goodRoles = new List<string> {
                "TestRole",
                "ThirdLevelSupport",
                "Administrator"
            };
    
            var roles = authenticationComponent.Roles ?? new List<string>();
    
            var thouShaltPass = roles.Intersect(goodRoles).Any();
    
            if (!thouShaltPass)
            {
                throw new HttpException(404, "Not Found");
            }
    
        }
    }