Item10341: TemplateLogin doesnt recognise REMOTE_USER if set (in case of dual apache-auth and template auth)

pencil
Priority: Enhancement
Current State: Confirmed
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: TemplateLogin
Branches:
Reported By: StefanStidl
Waiting For:
Last Change By: CrawfordCurrie
TemplateLogin has no getUser() method, which causes a problem in the following use case:

  • our wiki is reachable from intranet as well as extranet
  • when users come from intranet, they should browse the wiki without authenticating until they want to change something => i have to use template-login
  • when users come from extranet, they must login first (via apache) so we can be sure that noone sees anything without authentification
    • when editing, they should not be forced to login again (which is at the moment the situation)

thanks to babar on irc, there seems to be a simple solution:
by implementing the getUser method in TemplateLogin.pm, we can still ask, if the user is authenticated by some other mechanism and fall back to templatelogin, if not.
sound easy, huh?

here's the patch that fixes the problem for me (for stock foswiki 1.1.2) wink

--- ../Foswiki-1.1.2/lib/Foswiki/LoginManager/TemplateLogin.pm  2010-11-10 01:29:12.000000000 +0100
+++ lib/Foswiki/LoginManager/TemplateLogin.pm   2011-02-10 21:41:28.891296664 +0100
@@ -286,6 +286,32 @@
     $session->writeCompletePage($tmpl);
 }

+=begin TML
+
+---++ ObjectMethod getUser () -> $authUser
+
+returns the userLogin if stored in the apache CGI query (ie session)
+this makes sense in even in templatelogin, if the user is already authenticated via Apache.
+useful, if you use apache-auth for external access but template-login
+for internal access.
+
+=cut
+
+sub getUser {
+    my $this = shift;
+
+    my $query = $this->{session}->{request};
+    my $authUser;
+
+    # Ignore remote user if we got here via an error
+    # Only useful with CGI engine & Apache webserver
+    unless ( ( $ENV{REDIRECT_STATUS} || 0 ) >= 400 ) {
+        $authUser = $query->remote_user() if $query;
+        Foswiki::LoginManager::_trace( $this,
+            "apache getUser says " . ( $authUser || 'undef' ) );
+    }
+    return $authUser;
+}
 1;
 __DATA__
 Module of Foswiki - The Free and Open Source Wiki, http://foswiki.org/
-- StefanStidl - 10 Feb 2011

Does this need to have a configuration option something like "Use Apache Identity if provided" and return undefined if not enabled?

-- GeorgeClark - 24 Feb 2011

This is a bit of hack to overcome a specific use case (Template fall back to Apache). I'm wondering if there's a better approach viz. allow fallback through a chain of login managers (e.g. Apache fallback to Ldap).

-- CrawfordCurrie - 01 Mar 2011

@crawford: I think, it's not so specific. Apache-Auth (not Loginmanager) is the only way to ensure that noone can access anything from outside without authenticating. which seems quite often the use-case in intranet-scenarios. I can't imagine a case where you can fallback to apache (apache config is evaluated first by apache).

-- StefanStidl - 01 Mar 2011

btw: apache-auth can be ldap/htaccess/... so it's possible to combine ldap-loginmanager with apache-auth, too.

-- StefanStidl - 01 Mar 2011

I can imagine such a scenario. Remember, Foswiki TemplateLogin is responsible for authentication and identification, but Foswiki ApacheLogin is responsible only for identification only.

Consider: a company has an SSO login using Apache which gives access to a range of corporate sites. However this login does not identify a user (beyoond their obscure corporate login id). A local admin wants to identify users better than that, but doesn't have access to the corporate REMOTE_USER to Wikiname mapping. So they ask them to log in specifically to the wiki. If however they have no such id, a fallback to Apache identification gives them some level of access to the site.

-- CrawfordCurrie - 02 Mar 2011

The solution by the way to avoid upgrade problems is to copy your modified TemplateLogin.pm to MyTemplateLogin.pm or some other local name. Then change configure to use the modified version in configure. The new file will just show up in the Login Manager choices, or the config parameter would be $Foswiki::cfg{LoginManager} = 'Foswiki::LoginManager::MyTemplateLogin';

You will still have to merge changes from the Foswiki version into your local copy, but at least you won't loose your changes with the upgrade to an new Foswiki. (It does have changes for 1.1.3).

-- GeorgeClark - 02 Mar 2011

ok, thanks for the tip.

-- StefanStidl - 02 Mar 2011

I do not believe this is a bug. And for sure not an urgent bug. Mixing the two auth methods is not what we document or recommend.

Such mode should be coded as a specific login manager. This mode will mean that people need to double authenticate. Not what I would recommend.

I am changing this to an enhancement bug.

-- KennethLavrsen - 06 Mar 2011

@kenneth: why double authenticate? the current behaviour is, that people have to double authenticate. this would change, if my patch is applied.

-- StefanStidl - 07 Mar 2011

This seems to be a reasonable patch to apply, with a configuration parameter to control its use:

$Foswiki::cfg{TemplateLogin}{AllowLoginRemoteUser} enable to activate honouring of the apache remote user.

-- GeorgeClark - 06 Jan 2015

OK, so long as it is carefully explained. Please don't patching in "apache getUser says" though - it's not just apache.

-- CrawfordCurrie - 06 Jan 2015
 

ItemTemplate edit

Summary TemplateLogin doesnt recognise REMOTE_USER if set (in case of dual apache-auth and template auth)
ReportedBy StefanStidl
Codebase 1.1.2
SVN Range
AppliesTo Engine
Component TemplateLogin
Priority Enhancement
CurrentState Confirmed
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release01x01Checkins
Topic revision: r11 - 06 Jan 2015, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy