Elmah.MVC 2.0.1 - securing the elmah logs

Question

Setup:

For an ASP.NET MVC 4 app I am using Elmah.MVC 2.0.1 to log errors.

I installed Elmah.MVC using NuGet. It works fine.

Problem:

The Elmah.MVC package installs no controller or area, so I can see no obvious way to apply security via Authorize attributes, as is recommended for ASP.NET MVC.

Question:

I only want users in the Admin role to be able to view the Elmah page.

How do I do this?

Answer 1

Ouch!

Just found the answer;

Elmah MVC 2.0.1 NuGet package adds the following into <appSettings> (in web.config):

<add key="elmah.mvc.requiresAuthentication" value="false" />
<add key="elmah.mvc.allowedRoles" value="*" />

To achieve what I want simply:

<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.allowedRoles" value="Admin" />

Answer 2

I believe you can also use URL access control like this:

    <location path="elmah.axd">
  <system.web>
    <httpHandlers>
      <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
    </httpHandlers>
    <authorization>
      <allow roles="YourRole" />
      <deny users="*" />
    </authorization>
  </system.web>
  <system.webServer>
    <handlers>
      <add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
    </handlers>
  </system.webServer>
</location>