Securing ELMAH while yet making it possible to access it via RSS Reader

Question

We use ELMAH error exception logging in our application. I'd like to keep ELMAH secure from regular users while still making it available to administrators/developers of the application.

When you set security with forms authentication in the web.config you then lose the ability to access the RSS feed. I'd like to be able to secure ELMAH but yet still pass through authentication to the axd to be able to access the RSS feed (i.e. /elmah.axd/rss) from a RSS reader.

Thinking that http authentication would be proper as then I can probably get to the rss feed with the following url syntax http://username:[email protected]/elmah.axd/rss I assume you would need to set authentication mode="windows" on that specific path in the web.config. One issue pops up though is how do you set credentials on a virtual file?

Looking at Google brings back this article on CodeProject on how to set up authentication passthrough with cookies. Is this a good solution to my problem?

Is there another way that is better to be able to access the RSS feed while still being secure?

Thanks.

Answer 1

Supporting HTTP Authentication and Forms Authentication in a Single ASP.NET Web Site

Basically you add a dll called MADAM to your project adjust your web.config and configure which file(s) you want to authenticate as Basic instead of Forms:

<configuration>
    <configSections>
        <sectionGroup name="madam">
            <section name="userSecurityAuthority" type="System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
            <section name="formsAuthenticationDisposition" type="Madam.FormsAuthenticationDispositionSectionHandler, Madam" />
        </sectionGroup>
    </configSections>

    ...

    <madam>
        <userSecurityAuthority ... />

        <formsAuthenticationDisposition>
            <discriminators all="[true|false]">
                ...
            </discriminators>
        </formsAuthenticationDisposition>
    </madam>

    ...

    <system.web>
        <httpModules>
            <add name="FormsAuthenticationDisposition" type="Madam.FormsAuthenticationDispositionModule, Madam" />
            <add name="AuthenticationModule" type="MADAM Authentication Module Type" />
    </system.web>
</configuration>

This was easy to set up and solved my problem of being able to authenticate elmah.axd and still be able to subscribe to the RSS feed with Basic authentication credentials.

Side note MADAM is written by the same guy that wrote ELMAH, coincidence?

Answer 2

Depends on the client I guess - I know some desktop readers (sure others do, as well) support feeds that require authentication, and provide a login box when first requesting it - not sure what they are doing behind the scenes to make it work though.