elmah-contrib-webapi
elmah-contrib-webapi copied to clipboard
rdingwall
How to secure Elmah.axd in Web Api project
Hi,
The package works great with Web API and it successfully able to log all unhandled exception to Elmah. however little worry about securing Elmah.axd though. I am using Asp.Net Identity Token Bearer authentication for making API calls, so the default security mechanism not be valid in my case. Any idea how could I secure in my case, I want to allow this only to a user who has admin role. Please suggest
The Elmah documentation already has everything you need to secure the Elmah.axd page using the web.config: https://code.google.com/p/elmah/wiki/SecuringErrorLogPages
If you are using a pure Web API project then you should also ignore .axd routes. Put this in your startup configuration before you configure Web API or use OWIN UseWebApi or any other authentication setup.
RouteTable.Routes.Ignore("{resource}.axd/{*everything}");
The solution @brutaldev mentioned is not working on WebAPI 2.2.
do you know if there is a workaround for this?
Note: I'm using my own subdomain restapi.domain.com so my WebApiConfig.cs looks like this:
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
@vhugogarcia The sugggestion does work with Web API 2.2 (5.2.3), you fist need to ignore .axd routes then secure it however you want by following the official documentation.
In your case you need to ignore .axd routes before your normal mappings using config. Your code looks generated for a MVC/Web API mixed project where my example was for a OWIN based configuration.
Use config.Routes.Ignore("{resource}.axd/{*everything}"); before the call to map your default route.
The issue on how to secure the page though, which can do normally through web.config once you get elmah.axd to bypass the OWIN pipeline.
right, to secure the resource .axd I made it via web.config on:
<security allowRemoteAccess="false" />
But, I cannot access it from my local instance the /elmah.axd it keeps returning:
{"message":"No HTTP resource was found that matches the request URI 'http://services.domain.com/elmah.axd'."}
Find below the full code of my WebApiConfig file:
public static void Register(HttpConfiguration config)
{
// Web API configuration and services
// Locally only you will be able to see the exception errors
config.IncludeErrorDetailPolicy = IncludeErrorDetailPolicy.Never;
// Web API routes
config.MapHttpAttributeRoutes();
var jsonFormatter = config.Formatters.OfType<JsonMediaTypeFormatter>().First();
jsonFormatter.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
// Remove the XMl formatter
config.Formatters.Remove(config.Formatters.XmlFormatter);
config.Routes.IgnoreRoute("elmah", "{resource}.axd/{*everything}");
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
and the Global.asax
protected void Application_Start()
{
GlobalConfiguration.Configure(WebApiConfig.Register);
}
Wrong place. You need to ignore routes before you setup anything else regarding routes, the order of execution is important.
You are calling config.MapHttpAttributeRoutes(); before you ignore, which will give attribute routes priority. Move the ignore call above that and it should work.
Again, this is not the right place to get implementation help like this (StackOverflow probably is), the issue is regarding the securing of the Elmah page, not how to get it to display in the first place.
Another thing, allowRemoteAccess will need to be true if you are accessing the Elmah page from anything other than localhost. When you set this to false you will get a 404 or the missing route message you are seeing when accessing it from http://services.domain.com for example.
Thanks @brutaldev
I created a topic into Stackoverflow to follow there the implementation as you suggested.
http://stackoverflow.com/questions/30987439/elmah-axd-on-webapi-2-2-no-http-resource-was-found
Would you mind take a look there please?
thanks in advance.
btw, I moved up what you suggested and did not work neither. Also setup to true allowing access temporary to ensure it works just fine, but no luck neither.