Tags:
create new tag
view all tags

SID-01353: twiki apache redirect to login script for any url

Status: Answered Answered TWiki version: 5.1.0 Perl version: 5.8
Category: CategoryAuthentication Server OS: Linux Last update: 11 years ago

Hi,

Can some one please explain steps to configure apache to make twiki site redirect to login script for authentication for any url hit?

Thanks, Sirnivas.M

-- TWikiGuest - 2011-12-17

Discussion and Answer

Adding more to the discussion -

Right now my setup is prompting with httpd basic login window. Instead of that, i want to use bin/login script for authentication by default. I want httpd snippet for this.

Thanks, Srinivas.M

-- TWikiGuest - 2011-12-17

If you want apache auth (the small login dialog box) appear for all TWiki interaction you need to configure the whole twiki/bin and twiki/pub directory to require authentication.

Here is an example twiki.conf file:

# The ScriptAlias defines the bin directory as a directory where CGI
# scripts are allowed.
# The first parameter will be part of the URL to your installation e.g.
# http://example.com/twiki/bin/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias /do "/var/www/twiki/bin"

# The Alias defines a url that points to the root of the twiki installation.
# It is used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.
Alias /twiki/pub "/var/www/twiki/pub"

# Secure attachments
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+(TWiki|Main|Sandbox)/+.+
RewriteRule ^/+twiki/+pub/+(.*)$  /do/viewfile/$1 [L,PT]

# This specifies the options on the TWiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
<Directory "/var/www/twiki/bin">
    AllowOverride All
    Order Allow,Deny
    Allow from all

    Options ExecCGI FollowSymLinks
    SetHandler cgi-script

    AuthUserFile /var/www/twiki/data/.htpasswd
    AuthName 'TWiki (use a WikiName)'
    AuthType Basic

    # File to return on access control error (e.g. wrong password)
    # By convention this is the TWikiRegistration page, that allows users
    # to register with the TWiki. Apache requires this to be a *local* path.
    # ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration
    ErrorDocument 401 /error.html

    # Require authentication for all scripts
    <FilesMatch ".*">
        require valid-user
    </FilesMatch>

</Directory>

# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are *not* protected by TWiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/var/www/twiki/pub">
    Options +FollowSymLinks
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    # This line will redefine the mime type for the most common types of scripts
    # It will also deliver HTML files as if they are text files
    # AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
    # removed ".htm" to fix TinyMCE integration problem DA 2007-09-16
    AddType text/plain .html .shtml .php .php3 .phtml .phtm .pl .py .cgi

    AuthUserFile /var/www/twiki/data/.htpasswd
    AuthName 'TWIKI.NET Intranet (use WikiName)'
    AuthType Basic

    # Require authentication for all attachments
    require valid-user

</Directory>

-- PeterThoeny - 2011-12-18

thanks for the reply Peter.

Right now, i have the same setup. Now, i want to move from apache auth (the small login dialog box) to twiki template login. Whenever user hits any topic or any pub and bin directory content access, i want to open the template login window for authentication.

Is this possible?

-Srinivas.M

-- TWikiGuest - 2011-12-19

Use the ApacheConfigGenerator to generate the apache config file for template login.

Then run configure, set {LoginManager} to TWiki::LoginManager::TemplateLogin, and add all twiki/bin scripts to the {AuthScripts} setting except for login and resetpasswd.

-- PeterThoeny - 2011-12-19

ok. I have tried this.

Following is the generated file. From the snippet below, I observed that there is no authentication step for login script invoke for any data folder topic view/hit.

The only two sections having authentication steps, bin and pub folders and that too AuthType as Basic. So it simply asks for apache type login prompt.

May i know is this wrong..or am i interpreting wrong.

Following is my twiki setup:

Root: . /home/web/twiki

Please let us know.

====================

# Autogenerated httpd.conf file for TWiki. # Generated at http://twiki.org/cgi-bin/view/TWiki/ApacheConfigGenerator

# We set an environment variable called blockAccess. # # Setting a BrowserMatchNoCase to ^$ is important. It prevents TWiki from # including its own topics as URLs and also prevents other TWikis from # doing the same. This is important to prevent the most obvious # Denial of Service attacks. # # You can expand this by adding more BrowserMatchNoCase statements to # block evil browser agents trying the impossible task of mirroring a twiki # # Example: # BrowserMatchNoCase ^SiteSucker blockAccess # BrowserMatchNoCase ^$ blockAccess

BrowserMatchNoCase ^Accoona blockAccess BrowserMatchNoCase ^ActiveAgent blockAccess BrowserMatchNoCase ^Attache blockAccess BrowserMatchNoCase BecomeBot blockAccess BrowserMatchNoCase ^bot blockAccess BrowserMatchNoCase Charlotte/ blockAccess BrowserMatchNoCase ^ConveraCrawler blockAccess BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess BrowserMatchNoCase ^EmailCollector blockAccess BrowserMatchNoCase ^EmailSiphon blockAccess BrowserMatchNoCase ^e-SocietyRobot blockAccess BrowserMatchNoCase ^Exabot blockAccess BrowserMatchNoCase ^FAST blockAccess BrowserMatchNoCase ^FDM blockAccess BrowserMatchNoCase ^GetRight/6.0a blockAccess BrowserMatchNoCase ^GetWebPics blockAccess BrowserMatchNoCase ^Gigabot blockAccess BrowserMatchNoCase ^gonzo1 blockAccess BrowserMatchNoCase ^Google\sSpider blockAccess BrowserMatchNoCase ^ichiro blockAccess BrowserMatchNoCase ^ie_crawler blockAccess BrowserMatchNoCase ^iGetter blockAccess BrowserMatchNoCase ^IRLbot blockAccess BrowserMatchNoCase Jakarta blockAccess BrowserMatchNoCase ^Java blockAccess BrowserMatchNoCase ^KrakSpider blockAccess BrowserMatchNoCase ^larbin blockAccess BrowserMatchNoCase ^LeechGet blockAccess BrowserMatchNoCase ^LinkWalker blockAccess BrowserMatchNoCase ^Lsearch blockAccess BrowserMatchNoCase ^Microsoft blockAccess BrowserMatchNoCase ^MJ12bot blockAccess BrowserMatchNoCase MSIECrawler blockAccess BrowserMatchNoCase ^MSRBOT blockAccess BrowserMatchNoCase ^noxtrumbot blockAccess BrowserMatchNoCase ^NutchCVS blockAccess BrowserMatchNoCase ^RealDownload blockAccess BrowserMatchNoCase ^Rome blockAccess BrowserMatchNoCase ^Roverbot blockAccess BrowserMatchNoCase ^schibstedsokbot blockAccess BrowserMatchNoCase ^Seekbot blockAccess BrowserMatchNoCase ^SiteSnagger blockAccess BrowserMatchNoCase ^SiteSucker blockAccess BrowserMatchNoCase ^Snapbot blockAccess BrowserMatchNoCase ^sogou blockAccess BrowserMatchNoCase ^SpiderKU blockAccess BrowserMatchNoCase ^SpiderMan blockAccess BrowserMatchNoCase ^Squid blockAccess BrowserMatchNoCase ^Teleport blockAccess BrowserMatchNoCase ^User-Agent\: blockAccess BrowserMatchNoCase VoilaBot blockAccess BrowserMatchNoCase ^voyager blockAccess BrowserMatchNoCase ^W3C blockAccess BrowserMatchNoCase ^w3search blockAccess BrowserMatchNoCase ^Web\sDownloader blockAccess BrowserMatchNoCase ^WebCopier blockAccess BrowserMatchNoCase ^WebDevil blockAccess BrowserMatchNoCase ^WebSec blockAccess BrowserMatchNoCase ^WebVac blockAccess BrowserMatchNoCase ^Webwhacker blockAccess BrowserMatchNoCase ^Webzip blockAccess BrowserMatchNoCase ^Wells blockAccess BrowserMatchNoCase ^WhoWhere blockAccess BrowserMatchNoCase www\.netforex\.org blockAccess BrowserMatchNoCase ^WX_mail blockAccess BrowserMatchNoCase ^yacybot blockAccess BrowserMatchNoCase ^ZIBB blockAccess BrowserMatchNoCase ^$ blockAccess

<IfModule mod_perl.c> # Mod_perl preloading PerlSwitches -T </IfModule>

# The ScriptAlias defines the bin directory as a directory where CGI # scripts are allowed. # The first parameter will be part of the URL to your installation e.g. # http://example.com/twiki/bin/view/... # The second parameter must point to the physical path on your disc. ScriptAlias /twiki/bin "/home/web/twiki/bin"

# The Alias defines a url that points to the twiki pub directory, which # is the root of file attachments. Alias /twiki/pub "/home/web/twiki/pub"

# This specifies the options on the TWiki scripts directory. The ExecCGI # and SetHandler tell apache that it contains scripts. "Allow from all" # lets any IP address access this URL. <Directory "/home/web/twiki/bin"> AllowOverride None Order Allow,Deny Allow from all Deny from env=blockAccess

Options ExecCGI FollowSymLinks SetHandler cgi-script

# Password file for TWiki users AuthUserFile /home/web/twiki/data/.htpasswd AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith)' AuthType Basic

# File to return on access control error (e.g. wrong password) ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

# Limit access to configure to specific IP addresses and or users. # Make sure configure is not open to the general public. # It exposes system details that can help attackers. <FilesMatch "^(configure)$"> SetHandler cgi-script Order Deny,Allow Deny from all Allow from localhost 10.10.19.175 Require user srini Satisfy Any </FilesMatch>

</Directory>

# This sets the options on the pub directory, which contains attachments and # other files like CSS stylesheets and icons. AllowOverride None stops a # user installing a .htaccess file that overrides these options. # Note that files in pub are not protected by TWiki Access Controls, # so if you want to control access to files attached to topics you need to # block access to the specific directories same way as the ApacheConfigGenerator # blocks access to the pub directory of the Trash web <Directory "/home/web/twiki/pub"> Options None AllowOverride None Order Allow,Deny Allow from all Deny from env=blockAccess

# Disable execusion of PHP scripts php_admin_flag engine off

# This line will redefine the mime type for the most common types of scripts AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi # #add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate # reducing the load on the server significantly #IF you can, you should enable this - it will improve your twiki experience, even if you set it to under one day. # you may need to enable expires_module in your main apache config expires_module libexec/httpd/mod_expires.so mod_expires.c #<ifmodule mod_expires.c> # <filesmatch "\.(jpg|gif|png|css|js)$"> # ExpiresActive on # ExpiresDefault "access plus 11 days" # </filesmatch> #</ifmodule> #

</Directory>

-- TWikiGuest - 2011-12-19

Can someone please help me?

-- TWikiGuest - 2011-12-19

Hi,

I want twiki login template page to be opened for authentication to view my twiki site.

Right now, i have apache basic authentication setup which opens small login dialog box whenever hits any topic. Instead i want to use template login page for authentication before viewing topic/page.

Can someone assist me to get this up?

Could be helpful if someone provide apache config file. I have twiki installed at /home/web/twiki folder.

Thanks,

Srinivas.M

-- TWikiGuest - 2011-12-20

I moved above comment from a new support item and deleted the support item. Please do not cross-post the same question.

-- PeterThoeny - 2011-12-19

-- PeterThoeny - 2011-12-20

Hey Peter,

would be great if you assist on this. Hope my question is clear.

Thanks, Srinivas.M

-- TWikiGuest - 2011-12-21

Hello Srinivas,

You are asking for two different things.

To configure the Template login use the configure script http://yourtwikisite/twiki/bin/configure and set the parameter {LoginManager} to TWiki::LoginManager::TemplateLogin.

To make the Template login is presented to every user that whants to view any topic you should modify the access permission, maybe the ALLOWWEBVIEW=SomeGroup parameter in the WebPreferences topics in every web. The point is to restrict the VIEW action forcing everyone to login before being able to see anything.

-- EnriqueCadalso - 2012-02-02

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- PeterThoeny - 2012-07-01

      Change status to:
ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
SupportForm
Status Answered
Title twiki apache redirect to login script for any url
SupportCategory CategoryAuthentication
TWiki version 5.1.0
Server OS Linux
Web server Apache
Perl version 5.8
Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r10 - 2012-07-01 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.