This question about Authentication or Authorisation: Answered
Force viewauth for retrieval of REMOTE_USER
We are planning to upgrade to Foswiki 2.x. Our Wiki is setup with mod_perl and uses apache for authentication (using kerberos). We also enabled
AllowLoginName to map our Active Directory accounts to the Wiki accounts. This still seems to work fine in Foswiki 2.x with one difference:
Before version 2.x of Foswiki we were able to force the retrieval of the %REMOTE_USER% by adding Set DENYTOPICVIEW =
WikiGuest. This forced a topic to always use the viewauth script, which retrieves the server environment value REMOTE_USER. The normal view script doesn't.
Previously this method worked when:
- A user was not logged in at that moment, this forces the user to login
- A user was already logged in, but viewauth is used still used which retrieved the REMOTE_USER value/
Starting with Foswiki 2.x, what only works is:
- A user was not logged in at that moment, this forces the user to login
When a user is already logged in, adding
WikiGuest to DENYTOPICVIEW no longer forces a topic to be viewed with the viewauth script. We use the force viewauth method in, for instance, the User Registration Form. This forces the User form to automatically supply the Active Directory account in "login username" (which requires the retrieval of the server environment REMOTE_USER value). We could force the viewauth for each applicable topic, by creating redirects for each topic in Apache. But adding the DENYTOPICVIEW =
WikiGuest was far more convenient.
How could we restore this functionality? Was there some change in the default settings of configure (I already tried setting
Enable Deprecated Empty Deny, but this did not make any difference)? Or was it removed by design?
--
NathanSanders - 03 Nov 2015
REMOTE_USER as you indicate, is only ever set by Apache for scripts that "require" authentication. I don't recall that we've ever redirected every remote request from view to viewauth once the user has a session. That would be a horrible overhead. We trust the session information. Once a user is authenticated in the session, we don't continue to redirect. There would be other issues as well. Redirect for POST type requests convert them to GETs, so Foswiki has to do a lot of processing to cache the original request when redirecting to get authentication. I'm fairly certain that our behaviour in this area has not changed.
I'm not quite sure what to suggest for a solution. Could you consider using %USERNAME% instead of %REMOTE_USER%? Redirecting for every request for already authenticated users would be an issue.
--
GeorgeClark - 24 Nov 2015