All geek questions in one place

Secure ELMAH in an asp.net application that does not use forms authentication

I have a very basic asp.net application that relies on the INIT event of the main page to validate the user through a session object. Yes, I know that this is a suboptimal path.

I would like to add ELMAH to it, but I cannot find any console protection links without using forms authentication and setting web.config permission / deny.

Is there any other way to protect the elmah.axd file that does not rely on forms authentication?

+3
source share
3 answers

, Elmah , :

http://groups.google.com/group/elmah/msg/a0aa776d348ba97e

Global.asax - :

protected void Application_PreRequestHandlerExecute(Object sender, EventArgs e)
{
    // Get the filename being requested
    string filename = Path.GetFileName(Request.Path).ToLower();

    // Verify that a user is logged in by checking the session
    bool isValid = (HttpContext.Current.Session["User"] != null);

    // Throw error if invalid
    if (filename == "elmah.axd" && !isValid)
        throw new SecurityException("Access to elmah.axd is denied");
}

Elmah IRequiresSessionState IReadOnlySessionState, , , , . Application_PreRequestHandlerExecute.

+3

ELMAH MySQL. allow/deny -. .

  • , IPrincipal .
  • allow/deny IsInRole IPrincipal.

  • Request_Authentication global.asax IHttpHandler IPrincipal Context.User. - :

    private void Request_Authenticate (object sender, EventArgs e) {
    // do checks and create IPrincipal object
    IPrincipal user = new MyPrincipal(...);
    Context.User = user;
}

  • , elmah.axd, , -.

+1

Source: https://habr.com/ru/post/1705295/

More articles:


All Articles