SID-01353: twiki apache redirect to login script for any url
Status: |
Answered |
TWiki version: |
5.1.0 |
Perl version: |
5.8 |
Category: |
CategoryAuthentication |
Server OS: |
Linux |
Last update: |
11 years ago |
Hi,
Can some one please explain steps to configure apache to make twiki site redirect to login script for authentication for any url hit?
Thanks,
Sirnivas.M
--
TWikiGuest - 2011-12-17
Discussion and Answer
Adding more to the discussion -
Right now my setup is prompting with httpd basic login window. Instead of that, i want to use bin/login script for authentication by default. I want httpd snippet for this.
Thanks,
Srinivas.M
--
TWikiGuest - 2011-12-17
If you want apache auth (the small login dialog box) appear for all TWiki interaction you need to configure the whole twiki/bin and twiki/pub directory to require authentication.
Here is an example
twiki.conf
file:
# The ScriptAlias defines the bin directory as a directory where CGI
# scripts are allowed.
# The first parameter will be part of the URL to your installation e.g.
# http://example.com/twiki/bin/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias /do "/var/www/twiki/bin"
# The Alias defines a url that points to the root of the twiki installation.
# It is used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.
Alias /twiki/pub "/var/www/twiki/pub"
# Secure attachments
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+(TWiki|Main|Sandbox)/+.+
RewriteRule ^/+twiki/+pub/+(.*)$ /do/viewfile/$1 [L,PT]
# This specifies the options on the TWiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
<Directory "/var/www/twiki/bin">
AllowOverride All
Order Allow,Deny
Allow from all
Options ExecCGI FollowSymLinks
SetHandler cgi-script
AuthUserFile /var/www/twiki/data/.htpasswd
AuthName 'TWiki (use a WikiName)'
AuthType Basic
# File to return on access control error (e.g. wrong password)
# By convention this is the TWikiRegistration page, that allows users
# to register with the TWiki. Apache requires this to be a *local* path.
# ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration
ErrorDocument 401 /error.html
# Require authentication for all scripts
<FilesMatch ".*">
require valid-user
</FilesMatch>
</Directory>
# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are *not* protected by TWiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/var/www/twiki/pub">
Options +FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from all
Deny from env=blockAccess
# This line will redefine the mime type for the most common types of scripts
# It will also deliver HTML files as if they are text files
# AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
# removed ".htm" to fix TinyMCE integration problem DA 2007-09-16
AddType text/plain .html .shtml .php .php3 .phtml .phtm .pl .py .cgi
AuthUserFile /var/www/twiki/data/.htpasswd
AuthName 'TWIKI.NET Intranet (use WikiName)'
AuthType Basic
# Require authentication for all attachments
require valid-user
</Directory>
--
PeterThoeny - 2011-12-18
thanks for the reply Peter.
Right now, i have the same setup. Now, i want to move from apache auth (the small login dialog box) to twiki template login. Whenever user hits any topic or any pub and bin directory content access, i want to open the template login window for authentication.
Is this possible?
-Srinivas.M
--
TWikiGuest - 2011-12-19
Use the
ApacheConfigGenerator to generate the apache config file for template login.
Then run configure, set
{LoginManager}
to
TWiki::LoginManager::TemplateLogin
, and add all
twiki/bin
scripts to the
{AuthScripts}
setting except for
login
and
resetpasswd
.
--
PeterThoeny - 2011-12-19
ok. I have tried this.
Following is the generated file. From the snippet below, I observed that there is no authentication step for login script invoke for any data folder topic view/hit.
The only two sections having authentication steps, bin and pub folders and that too
AuthType as Basic. So it simply asks for apache type login prompt.
May i know is this wrong..or am i interpreting wrong.
Following is my twiki setup:
Root: . /home/web/twiki
Please let us know.
====================
# Autogenerated httpd.conf file for TWiki.
# Generated at
http://twiki.org/cgi-bin/view/TWiki/ApacheConfigGenerator
# We set an environment variable called blockAccess.
#
# Setting a
BrowserMatchNoCase to ^$ is important. It prevents TWiki from
# including its own topics as URLs and also prevents other TWikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
#
# You can expand this by adding more
BrowserMatchNoCase statements to
# block evil browser agents trying the impossible task of mirroring a twiki
#
# Example:
#
BrowserMatchNoCase ^SiteSucker blockAccess
#
BrowserMatchNoCase ^$ blockAccess
BrowserMatchNoCase ^Accoona blockAccess
BrowserMatchNoCase ^ActiveAgent blockAccess
BrowserMatchNoCase ^Attache blockAccess
BrowserMatchNoCase BecomeBot blockAccess
BrowserMatchNoCase ^bot blockAccess
BrowserMatchNoCase Charlotte/ blockAccess
BrowserMatchNoCase ^ConveraCrawler blockAccess
BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess
BrowserMatchNoCase ^EmailCollector blockAccess
BrowserMatchNoCase ^EmailSiphon blockAccess
BrowserMatchNoCase ^e-SocietyRobot blockAccess
BrowserMatchNoCase ^Exabot blockAccess
BrowserMatchNoCase ^FAST blockAccess
BrowserMatchNoCase ^FDM blockAccess
BrowserMatchNoCase ^GetRight/6.0a blockAccess
BrowserMatchNoCase ^GetWebPics blockAccess
BrowserMatchNoCase ^Gigabot blockAccess
BrowserMatchNoCase ^gonzo1 blockAccess
BrowserMatchNoCase ^Google\sSpider blockAccess
BrowserMatchNoCase ^ichiro blockAccess
BrowserMatchNoCase ^ie_crawler blockAccess
BrowserMatchNoCase ^iGetter blockAccess
BrowserMatchNoCase ^IRLbot blockAccess
BrowserMatchNoCase Jakarta blockAccess
BrowserMatchNoCase ^Java blockAccess
BrowserMatchNoCase ^KrakSpider blockAccess
BrowserMatchNoCase ^larbin blockAccess
BrowserMatchNoCase ^LeechGet blockAccess
BrowserMatchNoCase ^LinkWalker blockAccess
BrowserMatchNoCase ^Lsearch blockAccess
BrowserMatchNoCase ^Microsoft blockAccess
BrowserMatchNoCase ^MJ12bot blockAccess
BrowserMatchNoCase MSIECrawler blockAccess
BrowserMatchNoCase ^MSRBOT blockAccess
BrowserMatchNoCase ^noxtrumbot blockAccess
BrowserMatchNoCase ^NutchCVS blockAccess
BrowserMatchNoCase ^RealDownload blockAccess
BrowserMatchNoCase ^Rome blockAccess
BrowserMatchNoCase ^Roverbot blockAccess
BrowserMatchNoCase ^schibstedsokbot blockAccess
BrowserMatchNoCase ^Seekbot blockAccess
BrowserMatchNoCase ^SiteSnagger blockAccess
BrowserMatchNoCase ^SiteSucker blockAccess
BrowserMatchNoCase ^Snapbot blockAccess
BrowserMatchNoCase ^sogou blockAccess
BrowserMatchNoCase ^SpiderKU blockAccess
BrowserMatchNoCase ^SpiderMan blockAccess
BrowserMatchNoCase ^Squid blockAccess
BrowserMatchNoCase ^Teleport blockAccess
BrowserMatchNoCase ^User-Agent\: blockAccess
BrowserMatchNoCase VoilaBot blockAccess
BrowserMatchNoCase ^voyager blockAccess
BrowserMatchNoCase ^W3C blockAccess
BrowserMatchNoCase ^w3search blockAccess
BrowserMatchNoCase ^Web\sDownloader blockAccess
BrowserMatchNoCase ^WebCopier blockAccess
BrowserMatchNoCase ^WebDevil blockAccess
BrowserMatchNoCase ^WebSec blockAccess
BrowserMatchNoCase ^WebVac blockAccess
BrowserMatchNoCase ^Webwhacker blockAccess
BrowserMatchNoCase ^Webzip blockAccess
BrowserMatchNoCase ^Wells blockAccess
BrowserMatchNoCase ^WhoWhere blockAccess
BrowserMatchNoCase www\.netforex\.org blockAccess
BrowserMatchNoCase ^WX_mail blockAccess
BrowserMatchNoCase ^yacybot blockAccess
BrowserMatchNoCase ^ZIBB blockAccess
BrowserMatchNoCase ^$ blockAccess
<IfModule mod_perl.c>
# Mod_perl preloading
PerlSwitches -T
</IfModule>
# The
ScriptAlias defines the bin directory as a directory where CGI
# scripts are allowed.
# The first parameter will be part of the URL to your installation e.g.
#
http://example.com/twiki/bin/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias /twiki/bin "/home/web/twiki/bin"
# The Alias defines a url that points to the twiki pub directory, which
# is the root of file attachments.
Alias /twiki/pub "/home/web/twiki/pub"
# This specifies the options on the TWiki scripts directory. The
ExecCGI
# and
SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
<Directory "/home/web/twiki/bin">
AllowOverride None
Order Allow,Deny
Allow from all
Deny from env=blockAccess
Options
ExecCGI FollowSymLinks
SetHandler cgi-script
# Password file for TWiki users
AuthUserFile /home/web/twiki/data/.htpasswd
AuthName 'Enter your
WikiName: (First name and last name, no space, no dots, capitalized, e.g.
JohnSmith)'
AuthType Basic
# File to return on access control error (e.g. wrong password)
ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration
# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
SetHandler cgi-script
Order Deny,Allow
Deny from all
Allow from localhost 10.10.19.175
Require user srini
Satisfy Any
</FilesMatch>
</Directory>
# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons.
AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are
not protected by TWiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the
ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/home/web/twiki/pub">
Options None
AllowOverride None
Order Allow,Deny
Allow from all
Deny from env=blockAccess
# Disable execusion of PHP scripts
php_admin_flag engine off
# This line will redefine the mime type for the most common types of scripts
AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
#
#add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
# reducing the load on the server significantly
#IF you can, you should enable this - it
will improve your twiki experience, even if you set it to under one day.
# you may need to enable expires_module in your main apache config
expires_module libexec/httpd/mod_expires.so
mod_expires.c
#<ifmodule mod_expires.c>
# <filesmatch "\.(jpg|gif|png|css|js)$">
#
ExpiresActive on
#
ExpiresDefault "access plus 11 days"
# </filesmatch>
#</ifmodule>
#
</Directory>
--
TWikiGuest - 2011-12-19
Can someone please help me?
--
TWikiGuest - 2011-12-19
Hi,
I want twiki login template page to be opened for authentication to view my twiki site.
Right now, i have apache basic authentication setup which opens small login dialog box whenever hits any topic. Instead i want to use template login page for authentication before viewing topic/page.
Can someone assist me to get this up?
Could be helpful if someone provide apache config file. I have twiki installed at /home/web/twiki folder.
Thanks,
Srinivas.M
--
TWikiGuest - 2011-12-20
I moved above comment from a new support item and deleted the support item. Please do not cross-post the same question.
--
PeterThoeny - 2011-12-19
--
PeterThoeny - 2011-12-20
Hey Peter,
would be great if you assist on this. Hope my question is clear.
Thanks,
Srinivas.M
--
TWikiGuest - 2011-12-21
Hello Srinivas,
You are asking for two different things.
To configure the Template login use the configure script
http://yourtwikisite/twiki/bin/configure and set the parameter {LoginManager} to TWiki::LoginManager::TemplateLogin.
To make the Template login is presented to every user that whants to view any topic you should modify the access permission, maybe the ALLOWWEBVIEW=SomeGroup parameter in the
WebPreferences topics in every web. The point is to restrict the VIEW action forcing everyone to login before being able to see anything.
--
EnriqueCadalso - 2012-02-02
Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the
TWiki consultants if you need timely help. We invite you to
get involved with the community, it is more likely you get community support if you support the open source project!
--
PeterThoeny - 2012-07-01
If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.