How to secure Elmah with ServiceStack

Question

Since Elmah relies on ASP.NET security the following web.config section does not work with ServiceStack authorizations:

<location path="admin">
<system.web>
  <httpHandlers>
    <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
  </httpHandlers>
  <authorization>
    <deny users="?"/>
  </authorization>
</system.web>

So, what is the best practice to lock elmah.axd to everyone except administrators users?

Answer 1

When you run ServiceStack with MVC you should typically define ServiceStack to pick up the requests to a custom location such as api using <location path="api">.

See here for setup instructions:

• ServiceStack v3 (BSD)
• ServiceStack v4 (Commercial)

Therefore ServiceStack won't handle requests to other locations and as such the location path <location path="admin"> will be outside the path handled by ServiceStack, so the Authentication of your elmah.axd will be handled by IIS. So IIS will authenticate as per usual.