I just setup a logging provider using Log4net and noticed when testing that DotNetOpenAuth is logging messages as well. They must be using log4net as well, great I don't want 50 inserts everytime someone logs in with an openID..
Anyway to turn this off?
Yes.
<configuration>
<log4net>
<logger name="DotNetOpenAuth">
<level value="ERROR" />
</logger>
</log4net>
</configuration>
Related
i have an ASP MVC web site that is published.
and i adjusted <security allowRemoteAccess="yes"/> in webconfig
and now anybody can access Elmah page
by saying that i didnt use ASP.Net Identity,how can i secure ELmah Page?
I wrote a blog post a couple of months ago, that explains everything you need to know: ELMAH security and allowRemoteAccess explained. Basically, you will need to install the Elmah.MVC package and add app settings like this:
<appSettings>
<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.allowedRoles" value="Admin" />
<add key="elmah.mvc.allowedUsers" value="Thomas" />
</appSettings>
I have been tasked to write a proof of concept for using Amazon's DynamoDB service to store ASP.NET session state. I downloaded Amazon's local DynamoDB server from here, and got it running successfully. I created a test MVC website, and added the following NuGet packages.
<package id="AWS.SessionProvider" version="3.1.0.2" targetFramework="net461" />
<package id="AWSSDK.Core" version="3.1.4.3" targetFramework="net461" />
<package id="AWSSDK.DynamoDBv2" version="3.1.4.0" targetFramework="net461" />
I added the following to web.config.
<sessionState mode="Custom" customProvider="DynamoDB">
<providers>
<add name="DynamoDB" type="Amazon.SessionProvider.DynamoDBSessionStateStore" AWSProfileName="" Region="" />
</providers>
</sessionState>
Now I'm stuck. Amazon's documentation for local DynamoDB only talks about defining the service URL, not profile or region settings. Amazon's documentation for the session provider only talks about using a real online DynamoDB service with real credentials. The only mention I can find online of setting the service URL assumes that you are creating a DynamoDB client in code for arbitrary data access. I can't seem to find any overlap between these three concepts. Can anyone tell me how to configure local DynamoDB only as a session provider without referencing real Amazon credentials or regions?
Set the attribute ServiceUrl="http://localhost:8000/"
<sessionState timeout="20" mode="Custom" customProvider="DynamoDBSessionStoreProvider">
<providers>
<add
name="DynamoDBSessionStoreProvider"
type="Amazon.SessionProvider.DynamoDBSessionStateStore"
AWSProfileName="default"
AWSAccessKey="must be real"
AWSSecretKey="must be real values"
Region="eu-west-1"
ServiceUrl="http://localhost:8000/" />
</providers>
</sessionState>
Source:
https://github.com/aws/aws-dotnet-session-provider/blob/master/src/DynamoDBSessionStateStore.cs#L87
same log4net appender azure nuget code working fine for console app,
but not working in MVC application.
I'm using this nuget log4net.Appender.Azure 1.1.1
already added log4net.Config.XmlConfigurator.Configure();
in Global.asax
web.config
<log4net>
<!-- Azure Table Appender, uncomment, set proper QueueName and AWS credentials (appSettings) to try it out -->
<appender name="AzureAppender1" type="log4net.Appender.AzureTableAppender, log4net.Appender.Azure">
<param name="TableName" value="test" />
<param name="ConnectionString" value="***" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
</appender>
Can anyone know why it is not working ?
I am not sure - but I would be a little careful about using Tables for large scale logging scenarios. Take a look at the logging anti-pattern in this Table Design Guide. It can often lead to hot partitions - and often times the scenario is much better supported using Blobs.
Here we go I found that it is problem od log4net dll version.
in nuget log4net appender azure version of log4net dll is 1.2.12 it is the older one. need should be updated to newer version 1.2.13
that solves the above issue.
I have the following configuration in my "web.config":
<customErrors mode="Off">
</customErrors>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
If I have a mistake in my environment clearly shows errors, but when I upload it to windows azure shows the screen where it tells me that I have to put:
<customErrors mode="Off" />
or
<customErrors mode="RemoteOnly" redirectMode="~/file.html" />
and not shows errors. Is there some extra settings that I have to do in "web.config" in "ASP.NET MVC 5" to show the errors?
The default for publishing to Azure is to use the Release configuration. The Release configuration, among other things, disables the yellow screen of death you see in development, because this is information that 1) is potentially dangerous if seen by the wrong person (malicious) and 2) is not user-friendly for the casual user.
If you want to see the errors, then you follow the advice on that page. If your problem is that you have done that, and the errors still aren't showing then #Zabavsky, is probably right; you didn't add it to the configuration that it was deployed with (most likely Release).
However, I would caution you from actually doing that. Like I said earlier, the stack trace shown on error can potentially contain sensitive information that a malicious user could use to compromise your site, and if you turn it on in Release, even if just for a little while to debug, there's a good chance you might forget to turn it off. The ideal is to work out all your bugs in development. For the final verification when deploying to Azure, you can deploy using the Debug configuration (which will show the errors) to a staging version of your site. Then, once everything is good, you can do the final deployment using the Release configuration, instead.
If you want to get the stack trace from errors in production on an ongoing basis, your best bet is to use a tool like ELMAH, which will log exceptions that occur and present them to you in a protected way. By default, that will be only over localhost, which would require that you browse from within the server the site is running on. If you can't do that because you're just using an Azure Website instead of a virtual machine, then you can also enable access to a certain user role, or only via a certain IP (your static IP).
I'm looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I'm using IIS 7.5, Windows Server 2008 R2.
I'd like to know whether it's possible to do the following through Web.config (it has to be through there!)
Require SSL communication for all requests
Map multiple client certificates to a single user
Require the user to be authenticated
Also, any pointers on how to go on about doing this, any tutorials or other relevant resources will be much appreciated as I'm new to pretty much all of these things.
So, to answer my own questions.. all of the above can be achieved through the Web.config. The following section of the Web.config requires SSL through the system/access section, and configures many-to-one client certificate mapping. These sections are locked in the applicationHost.config so anyone wishing to edit them in the Web.config will need to unlock them. There are many tutorials on that so I won't go into it.
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
<authentication>
<anonymousAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
<manyToOneMappings>
<add name="Authentication Certificate"
enabled="true"
permissionMode="Allow"
userName="foo"
password="bar">
<rules>
<add certificateField="Issuer" certificateSubField="CN" matchCriteria="*.stackoverflow.com" compareCaseSensitive="false" />
</rules>
</add>
</manyToOneMappings>
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
Going in order:
Require SSL communication for all requests - Yes. In IIS, set the site with only an https binding, and delete the http binding. The site will not respond to http requests. If you do this, you should create a script to redirect 403.4 errors from http://mysite.com to https://mysite.com. You can find many examples of how to do this using various tools.
Map multiple client certificates to a single user - I dunno. I will pass on this one.
Require the user to be authenticated - Yes. In the web.config file, in the <system.web> element, add the following:
<authorization>
<deny users="?"/>
</authorization>