Tags:
create new tag
, view all tags
To get full value from TWiki a users identity is often needed. TWiki currently supports the following:

Method Comment
none - every one is guest same as most Wikis, but not knowing who made changes is a significant issue frown
http basic authenication users has to register, yet another ** username/password
Intranet based login via remoteuser not available on many Intranets
Rember remoteUser (variant on above) assumes 1:1 mapping of IP to user - not valid for multi-user e.g unix, Windows Terminal Server

At my company we're getting the user identity and information about them in a very different way; a brief outline:

  • User uses https://
    • User supplies certificate (note IE5.5 does this automatically if there is only one certificate)
    • Certificate checked with LDAP server, if okay we know who user is, otherwise oops ...
    • All change scripts work as we know identity, additional we can add user preferences that are active for all scripts
  • User user http:// - for when you don't have a certificate, or just happen to use http
    • View, search etc all work
    • Try edit, upload etc
      • If https hasn't already been tried, do so as above
      • If try https and doesn't work, ask for username/password and check against LDAP entries

In the above scenario the user identity and some other data is stored as a session file on the server. A sessionId is sent back to the browser as a cookie (for my organisation cookies are fine).

Areas of TWiki code that had to be altered:

  • TWiki::initialise - add extra param $query, calls extra initialisation code that get identity from certicate or or from passed in username/password info
  • TWiki::Access::checkAccessPermission - extra code here that forces getting user identity if required but not available
  • Returning http header - rather than print "Content-type: text/html\n\n"; a call is made to a routine, this can return cookie to client if required. (I couldn't manage to get a cookie sent to client on a redirect, even though CGI.pm supports this).

This suggests the following extra plugin calls:

  • initialiseRequest( $query, ... );
  • checkAccessPermission( $accessType, $script, ... );
  • writeHeader( ... );
  • redirect( ... );
  • possibly something to do with session information, or perhaps this should be in core

Thoughts?

-- JohnTalintyre - 03 Apr 2001

Brainstorming here. This looks like doable, but we probably need to change the behaviour of the plugin handler. Currently, existing functions of all plugin handlers are called, one after the other. In this case here we need a way to say "execute the plugin function of the last registered handler". That way we can can do the default behaviour in DefaultPlugin and it can get overloaded by another plugin.

Alternatively we can keep the current plugin spec and do the default identification stuff in the core. A plugin can change it if needed. This means that it is the responsibility of the admin to install not more then one plugin for identification. Example usage:

Code for view script: (similar for other scripts; changes in red color)

    my $thePathInfo = $query->path_info(); 
    my $theRemoteUser = $query->remote_user();
    my $theTopic = $query->param( 'topic' );
    my $theUrl = $query->url; 
    &TWiki::Plugins::initialiseRequest( $query, $thePathInfo, $theRemoteUser, $theTopic, $theUrl ); 
    ( $topic, $webName, $scriptUrlPath, $userName ) = 
      &TWiki::initialize( $thePathInfo, $theRemoteUser, $theTopic, $theUrl );

Also, we might be able to clean up the core by moving "Rember remoteUser" to a plugin.

-- PeterThoeny - 03 Apr 2001

How about a level between "everyone is guest" and "basic authentication", where a Login page allows a user to enter a name, and then a cookie saves it?

This eliminates the need for passwords, but allows the wiki to associate a name with activities. It works around the problems with remembering remoteUser by IP address.

-- KristopherJohnson - 03 Apr 2001

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2001-09-19 - MikeMannix
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.