Question

We have a company Intranet, https://private.company.com, which is available outside the firewall by password access.

Our twiki is on int.company.com, available only inside the firewall.

I requested making the twiki available on private.company.com.

Our Sys Admin said: "private. company.com is relatively easy to "secure", as authentication to it is handled at the top level. Twiki on the other hand uses a series of embedded htaccess files. Which means that a mistake made in setting up a web could very easily open up confidential information to the world at large.

The whole point of having a VPN is to create a single (more easily defended) point of entry in front of services who's security may be an issue. File servers, email, and other company vital resources are behind it, and for obvious reasons. Given its structure I personally refuse to take responsibility for securing a Wiki containing confidential information exposed to the Internet."

Is he correct? Or are we merely unenlightened about how to properly configure things?

Environment

-- VickiBrown - 04 Nov 2004

Answer

Security and authentication depends on how you set up TWiki. In a corporate environment it is almost always better to authenticate against the corporate systems of record (NIS, LDAP, etc), so that there is a single logon. TWiki can map between login name (jsmith) and WikiName (JohnSmith).

In your case you could put your whole TWiki on private.company.com under https, with users authenticated at the top level (outside TWiki). That is in fact the setup we had on the original TWiki at TakeFive. See more at TWikiUserAuthentication.

-- PeterThoeny - 06 Nov 2004