Umbraco, ELMAH, MADAM and authentication
Please refer to this blogpost
Warning – read first: There is an issue with this approach; when you’re authenticated via Forms Authentication (like being logged in on the website), you’re ALSO allowed to access elmah.axd.
I have looked for a solution, but I haven’t figured one yet. Do you have the solution? Please reply on this blog and I’ll include your information.
We’re using ELMAH in every single umbraco project we built, it’s an awesome error logging module for .NET.
To protect ELMAH, we were using Basic Authentication, which is built-in in .NET and IIS.
But since umbraco v4.7.1, umbraco relies on Forms Authentication for the Members. As you might know, it’s impossible to have Basic AND Forms Authentication enabled at the same time, so the quick conclusion was to go with Forms Authentication, else umbraco’s membership provider wouldn’t work anymore.
So now we have a problem: whenever someone’s logged in as a member, he/she can access elmah.axd (assuming that you’ve got elmah.axd protected as described here).
Wouldn’t it be awesome if we could still use some sort of Basic Authentication AND Forms Authentication? Ofcourse! That’s where MADAM steps in (from the creator of ELMAH, isn’t that coincidental?).
So here’s a guide how to set-up your project (which I assume already has ELMAH running and configured, as described here for example):
Add the MADAM assembly to the bin folder (+ reference if you use VS)
Some stuff in the web.config:
- Add sectionGroup for madam:
<sectionGroup name="madam"> <section type="Madam.FormsAuthenticationDispositionSectionHandler, Madam"/> <section type="System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/> </sectionGroup>
- Add httpModules to system.web/httpModules and system.webServer/modules:
<add name="FormsAuthenticationDisposition" type="Madam.FormsAuthenticationDispositionModule, Madam"/></pre> <!-- IMPORTANT! The actual HTTP authentication module MUST appear AFTER the FormsAuthenticationDisposition module. --> <add name="BasicAuthentication" type="Madam.BasicAuthenticationModule, Madam"/>
- Extend the <authentication mode=”Forms” /> tag in <system.web>:
<authentication mode="Forms"> <forms> <credentials passwordFormat="SHA1"> <user name="elmah" password="<<<YOUR_SHA1_HASHED_PASSWORD>>"/> </credentials> </forms> </authentication>
- Add a location element to protect elmah.axd:
<location path="elmah.axd"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location>
- Add a madam element, like after the elmah element:
<madam> <userSecurityAuthority realm="ELMAH" provider="Madam.FormsUserSecurityAuthority" exposeClearTextPassword="false "/> <formsAuthenticationDisposition> <discriminators all="true"> <!-- This discriminator helps detect redirection to the Forms login page. --> <discriminator inputExpression="Response.RedirectLocation" pattern="login\.aspx\?returnurl\=" type="Madam.RegexDiscriminator"/> <!-- These discriminators are based on the various locations and requests for which Forms should be discriminated. The conditions expressed by these discriminators are OR'ed together in the absence of the all attribute. --> <discriminator> <discriminator inputExpression="Request.RawUrl" pattern="^/elmah\.axd"/> </discriminator> </discriminators> </formsAuthenticationDisposition> </madam>
That’s “all” 
Good luck!
Cool!
Would be even cooler if it just knew you were logged in as an Umbraco admin role and only then show you the elmah.axd..
Yes you’re right, don’t know if that’s possible though. I needed Basic Authentication for the RSS feed feature
Great post Stephan, @sebastiaan yes nice idea. Think it’s just a matter of a simple handler. Will implement it for my client tomorrow
Then post the solution here.
Couldn’t you do this:
I don’t have an Umbraco instance in front of me, but isn’t there a different role for an admin then there is for a member?
err…. my code didn’t appear.
in the authorization, above deny, just add a allow roles=”roles for admin user seperated by comma”
-C
Cheers for posting this, good to know. I just have a question. You say…
“So now we have a problem: whenever someone’s logged in as a member, he/she can access elmah.axd”
I have implemented this but I seem to still have this problem. When I’m not logged in as a member and try access elmah.axd it is correctly offering the Basic Authenticate challenge. I can then enter the details (as you have them) “elmah” and a password and I can then access elmah.axd fine. When I am logged in as a member though, I am allowed to access elmah.axd like before.
Any ideas what I am doing wrong?
@Daniel
Damm, I see you’re right! I thought I’d tested it really thoroughly.
Will look into this today or tomorrow and update this blog according to my findings.
[...] this is the second blogpost I’m writing about Umbraco, ELMAH and authentication. My previous blogpost wasn’t really good, because with forms-authentication authenticated members could also access [...]