Configuring custom authorization with ELMAH

Question

How can I configure ELMAH to display only for certain people without default ASP.NET authorization roles manager?

I (as well as many others, I think) use my own authorization logic and build my projects from zero without using provided templates. I want to log errors but it seems that it is impossible to configure ELMAH (somehow override functionality) to make it work with some other authorization or even to make it work only for particular IP addresses.

Since I will have access to web.config I tried to change these values in order to NOT display elmah by default.

<add key="elmah.mvc.disableHandler" value="false" />
<add key="elmah.mvc.disableHandleErrorFilter" value="false" />
<add key="elmah.mvc.requiresAuthentication" value="false" />

And when I want to view errors switch them from true to false and see errors, then switch back. But it seems that when I change these values all logs are erased.

What can I do?

Answer 1

I think the easiest approach would be to make some minor alterations to your custom authorization so the ELMAH authorization will work.

Option 1: Set the FormsAuthentication cookie on login. This way, in the web.config the allow users="username" should work. On successful login you can set the cookie with FormsAuthentication.SetAuthCookie(theUsername, true).

The ELMAH authorization would look something like:

<location path="elmah.axd" inheritInChildApplications="false">
    <system.web>
       <authorization>   
         <allow users="theUserName" />
         <deny users="*" />
       </authorization>
    </system.web>
  ...other config settings
</location>

Option 2: If you are using putting users into roles, you can override the default role provider to use the function you made to get roles. This way is a little more involved but then lets you harness role-basing authentication in the web.config, which is really nice for securing things like static file (.pdf etc) delivery. I can add code for this if interested.

Answer 2

I was using the ASP.NET Identity Framework, so this answer is regarding that setup. I also used the Elmah.MVC package in NuGet. I edited the following lines in web.config. (you need to supply your own user name in the allowedUser setting)

<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.allowedRoles" value="*" />
<add key="elmah.mvc.allowedUsers" value="your_user_name" />

It appears that ELMAH does get the authentication information from the current thread principal, which the ASP.NET Identity Framework will establish on your behalf upon login.

Answer 3

It doesn't matter how the system gets the username or roles in this case. Whether it be from the built-in providers, a provider you implement yourself, or if during your custom authentication you populate this information yourself. All it takes is to manually set the principal during something like the Application_PostAuthenticationRequest event. This should give you the jist of it.

protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
    //Obtain username and roles from application datastore and use them in the next line
    Thread.CurrentPrincipal = new GenericPrincipal(
        new GenericIdentity("userNameHere"),
        new string[] { "Admin", "CanDeleteStuff", "CanEditStuff", "OtherRole" }
    );
}

This will let you use something like this in your web.config

<location path="elmah.axd" inheritInChildApplications="false">
  <system.web>
    <authorization>
      <allow roles="Elmah"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

Not to mention being able to use User.IsInRole("CanEditStuff") in your code.