This question about Authentication or Authorisation: Answered

Force viewauth for retrieval of REMOTE_USER

We are planning to upgrade to Foswiki 2.x. Our Wiki is setup with mod_perl and uses apache for authentication (using kerberos). We also enabled AllowLoginName to map our Active Directory accounts to the Wiki accounts. This still seems to work fine in Foswiki 2.x with one difference:

Before version 2.x of Foswiki we were able to force the retrieval of the %REMOTE_USER% by adding Set DENYTOPICVIEW = WikiGuest. This forced a topic to always use the viewauth script, which retrieves the server environment value REMOTE_USER. The normal view script doesn't.

Previously this method worked when:
  1. A user was not logged in at that moment, this forces the user to login
  2. A user was already logged in, but viewauth is used still used which retrieved the REMOTE_USER value/
Starting with Foswiki 2.x, what only works is:
  1. A user was not logged in at that moment, this forces the user to login

When a user is already logged in, adding WikiGuest to DENYTOPICVIEW no longer forces a topic to be viewed with the viewauth script. We use the force viewauth method in, for instance, the User Registration Form. This forces the User form to automatically supply the Active Directory account in "login username" (which requires the retrieval of the server environment REMOTE_USER value). We could force the viewauth for each applicable topic, by creating redirects for each topic in Apache. But adding the DENYTOPICVIEW = WikiGuest was far more convenient.

How could we restore this functionality? Was there some change in the default settings of configure (I already tried setting Enable Deprecated Empty Deny, but this did not make any difference)? Or was it removed by design?

-- NathanSanders - 03 Nov 2015


REMOTE_USER as you indicate, is only ever set by Apache for scripts that "require" authentication. I don't recall that we've ever redirected every remote request from view to viewauth once the user has a session. That would be a horrible overhead. We trust the session information. Once a user is authenticated in the session, we don't continue to redirect. There would be other issues as well. Redirect for POST type requests convert them to GETs, so Foswiki has to do a lot of processing to cache the original request when redirecting to get authentication. I'm fairly certain that our behaviour in this area has not changed.

I'm not quite sure what to suggest for a solution. Could you consider using %USERNAME% instead of %REMOTE_USER%? Redirecting for every request for already authenticated users would be an issue.

-- GeorgeClark - 24 Nov 2015
 

QuestionForm edit

Subject Authentication or Authorisation
Extension
Version Foswiki 2.0.3
Status Answered
Related Topics
Topic revision: r4 - 24 Nov 2015, GeorgeClark - This page was cached on 26 Sep 2017 - 16:40.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License