I am having trouble trying to secure ELMAH. I have followed Phil Haacked's tutorial, with the only difference being the demo project is a web application and my project is a website.
<add verb="POST,GET,HEAD" path="/admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
<location path="admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
With the leading "/" I receive the response that "The resource cannot be found.", if I remove the leading "/" everything works fine except authentication can be bypassed by appending a directory name in front of /admin/elmah.axd.
For example without the leading "/"
www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - does not trigger the authentication and displays ELMAH
How can I ensure that ELMAH is secure while maintaining the ability to remotely view the log?
Thanks.
Note to others:
Following Alan's answer below results in the following.
www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/admin/asdasdasd/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - The resource cannot be found. (exactly what we wanted)
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…