[pmwiki-users] How to restrict auth to secure connections

Daniel Rubin Daniel.Frederik.Rubin at scai.fraunhofer.de
Thu Aug 31 02:48:28 CDT 2006

Bart wrote:
> On Thu, Aug 17, 2006 at 10:27:06AM +0200, Daniel Rubin wrote:
> | Greetings, everyone.
> | 
> | I'd like to restrict authentication to my wiki such that
> |   * login is only permitted from connections via https or from
> |     the local network
> |   * the authentication form is also only shown under these
> |     circumstances.
> | 
> | Which is the best way to achieve this?
> | I'm using pmwiki-2.1.11 with AuthUser (with htpasswd file), served by an 
> | Apache on a linux box.
> | 
> | I'll be grateful for any good advice, hints or suggestions.
> | 
> | Have fun,
> | ----Daniel
> Hi Daniel, 
> Don't know if this will work for you, but thought it might be useful. 
>>From http://pmwiki.org/wiki/Cookbook/AuthUser:
> ------
> Using AuthUser with Apache Basic Authentication (BA) 
> I have a wiki that runs inside an Apache BA protected realm, so by the time
> the user reaches the wiki, they have been authenticated. I do not want them
> to have to re-enter their passwords, and I want to be able to control access
> to pages by password groups. As I write this, AuthUser is not able to read
> Apache .htgroup files, but AuthUser does have its own group mechanism.
> Getting the two to work together requires this addition to the wiki's
> config.php file:
>  ## turn on the PmWiki authentication
>     include_once("$FarmD/scripts/authuser.php");
>  ##if someone has authenticated using Apache BA, then use that for local
> auth
>     if (@$_SERVER['REMOTE_USER'])
>         AuthUserId($pagename, $_SERVER['REMOTE_USER']);
> ------
> So you can secure the access to your site in https with a .htaccess file
> asking for the credentials. Apache will accept or reject access. after that
> PmWiki will grand or reject access on the credentials you did set in your
> config.php e.g. $DefaultPasswords['edit']  = array('id:Bart');
> When Bart is authenticated through .htaccess PmWiki doesn't ask any password
> but gives edit permission right away. 
> The trick is that you now have to prevent the PmWiki login screen showing
> up, else users can still authenticate via http.
> On quick and dirty trick is editing Site.AuthForm tossing out the form stuff
> and putting in a message and a link to the .htaccess protected URL of your
> wiki. 
> This may not be 100% bullet proof, so please let me know if this still has
> cavities for what you are intending.
> Bart
> The Netherlands

Hi Bart,
please forgive for letting you wait so long for an answer.  I was out of 
work for a couple of days and only just read your message.

What you propose really looks like a fine concept, but unfortunately 
doesn't suit me needs (as far as I can see).  Using the apache 
authentication would cause a login dialog to pop up on any access to the 
wiki, wouldn't it?  But I want anybody to be able to view wiki pages 
without any fuzz, to have a somehow CMS-like behaviour of the wiki engine.
All I want to do is to ensure that people who have valid login 
credentials don't expose them by logging in through an insecure connection.

I was thinking it should be possible to achieve my goal by a few simple 
lines in config.php.  Is there a $_SERVER variable indicating whether a 
request is from an https connection or not?  I believe I saw something 
concerning the originating IP address, so that would solve halve my problem.

And maybe I could use the AuthUserId function you mentioned in your 
quote from the cookbook, to cancel an authentication after I worked out 
it is illegal because of its source?

Thank you very much for your concern,
have fun!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Daniel.Frederik.Rubin.vcf
Type: text/x-vcard
Size: 310 bytes
Desc: not available
Url : /pipermail/pmwiki-users/attachments/20060831/1529671c/attachment.vcf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3775 bytes
Desc: S/MIME Cryptographic Signature
Url : /pipermail/pmwiki-users/attachments/20060831/1529671c/attachment.bin 

More information about the pmwiki-users mailing list