[pmwiki-users] How to restrict auth to secure connections

Bart pmwiki-users at mediamatrix.nl
Wed Aug 23 07:29:39 CDT 2006

On Thu, Aug 17, 2006 at 10:27:06AM +0200, Daniel Rubin wrote:
| Greetings, everyone.
| I'd like to restrict authentication to my wiki such that
|   * login is only permitted from connections via https or from
|     the local network
|   * the authentication form is also only shown under these
|     circumstances.
| Which is the best way to achieve this?
| I'm using pmwiki-2.1.11 with AuthUser (with htpasswd file), served by an 
| Apache on a linux box.
| I'll be grateful for any good advice, hints or suggestions.
| Have fun,
| ----Daniel

Hi Daniel, 

Don't know if this will work for you, but thought it might be useful. 

>From http://pmwiki.org/wiki/Cookbook/AuthUser:


Using AuthUser with Apache Basic Authentication (BA) 

I have a wiki that runs inside an Apache BA protected realm, so by the time
the user reaches the wiki, they have been authenticated. I do not want them
to have to re-enter their passwords, and I want to be able to control access
to pages by password groups. As I write this, AuthUser is not able to read
Apache .htgroup files, but AuthUser does have its own group mechanism.
Getting the two to work together requires this addition to the wiki's
config.php file:

 ## turn on the PmWiki authentication
 ##if someone has authenticated using Apache BA, then use that for local
    if (@$_SERVER['REMOTE_USER'])
        AuthUserId($pagename, $_SERVER['REMOTE_USER']);


So you can secure the access to your site in https with a .htaccess file
asking for the credentials. Apache will accept or reject access. after that
PmWiki will grand or reject access on the credentials you did set in your
config.php e.g. $DefaultPasswords['edit']  = array('id:Bart');
When Bart is authenticated through .htaccess PmWiki doesn't ask any password
but gives edit permission right away. 

The trick is that you now have to prevent the PmWiki login screen showing
up, else users can still authenticate via http.

On quick and dirty trick is editing Site.AuthForm tossing out the form stuff
and putting in a message and a link to the .htaccess protected URL of your

This may not be 100% bullet proof, so please let me know if this still has
cavities for what you are intending.

The Netherlands

More information about the pmwiki-users mailing list