在 ASP.NET 网站中保护 Elmah 的安全
我在保护 ELMAH 时遇到了麻烦。 我关注了 Phil Haacked 的 教程,唯一的区别是演示项目是一个 Web 应用程序,而我的项目是一个网站。
<add verb="POST,GET,HEAD" path="/admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
<location path="admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
使用前导“/”,我收到“找不到资源。”的响应,如果我删除前导“/”,一切正常,除了可以通过在 /admin/elmah.axd 前面附加目录名称来绕过身份验证之外。
例如,没有前导“/”
www.mysite.com/admin/elmah.axd - 触发身份验证
www.mysite.com/asdasdasd/admin/elmah.axd - 不触发身份验证并显示 ELMAH
如何确保 ELMAH 安全,同时保持远程查看日志的能力?
谢谢。
其他人请注意:
遵循下面艾伦的回答会产生以下结果。
www.mysite.com/admin/elmah.axd - 触发身份验证
www.mysite.com/admin/asdasdasd/elmah.axd - 触发身份验证
www.mysite.com/asdasdasd/admin/elmah.axd - 找不到资源。 (正是我们想要的)
I am having trouble trying to secure ELMAH. I have followed Phil Haacked's tutorial, with the only difference being the demo project is a web application and my project is a website.
<add verb="POST,GET,HEAD" path="/admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
<location path="admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
With the leading "/" I receive the response that "The resource cannot be found.", if I remove the leading "/" everything works fine except authentication can be bypassed by appending a directory name in front of /admin/elmah.axd.
For example without the leading "/"
www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - does not trigger the authentication and displays ELMAH
How can I ensure that ELMAH is secure while maintaining the ability to remotely view the log?
Thanks.
Note to others:
Following Alan's answer below results in the following.
www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/admin/asdasdasd/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - The resource cannot be found. (exactly what we wanted)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我花了一些时间试图通过将每个答案中的各种建议拼凑在一起来使其发挥作用,我已经整理出了一个完整的解决方案,该解决方案应该适用于所有类型的 IIS。
以下是每个 web.config 部分中需要包含的内容:
如果您使用的是 Asp.Net MVC,请添加
您的 RegisterRoutes 方法。
Having spent a while trying to get this to work by patching together the various bits of advice from each of the answers, I've put together a complete solution that should work for all flavours of IIS.
Here's what needs to be in each of your web.config sections:
And if you're using Asp.Net MVC, add
in your RegisterRoutes method.
在 IIS 7.5 windows server 2008 中,还有另一个名为 system.webServer 的部分。
为了让 ELMAH 工作,必须添加以下内容:
我尝试了一些变化,但我无法使用上述解决方案来防止
'/blah/elmah.axd' 停止工作。
关于使上述解决方案适用于 IIS 7.x 有什么建议吗?
谢谢。
In IIS 7.5 windows server 2008, there is another section called system.webServer.
In order for ELMAH to work, this had to be added:
I've tried a few variances, but I am unable to use the above solution for preventing
'/blah/elmah.axd' from working.
Any Suggestions on making the above solution work for IIS 7.x?
Thanks.
如果您使用 ASP.NET MVC,则需要让路由引擎忽略该路径。 例如,如果您想将 elmah 移动到 /admin/elmah.axd,您应该将以下内容添加到 Global.asax.cs:
If you are using ASP.NET MVC, you're going to need to have the routing engine ignore that path. If you want to move elmah to /admin/elmah.axd for instance you should add the following to Global.asax.cs:
我尝试了 web.config 并得到了以下内容。 基本上,不要将 elmah.axd HttpHandler 放在通用 system.web 中,而是将其专门添加到“admin”路径位置的 system.web 中。
I played around with the web.config and got the following to work. Basically instead of putting the elmah.axd HttpHandler in the general system.web, add it specifically in the system.web of your "admin" path location.