Apache Login (select Foswiki::LoginManager::ApacheLogin)
Using this method Foswiki does not authenticate users internally. Instead it depends on the REMOTE_USER environment variable, which is set when you enable authentication in the webserver.
The advantage of this scheme is that if you have an existing website authentication scheme using Apache modules such as mod_auth_ldap or mod_auth_mysql you can just plug in directly to them.
The disadvantage is that because the user identity is cached in the browser, you can log in, but you can't log out again unless you restart the browser.
Foswiki maps the REMOTE_USER that was used to log in to the webserver to a WikiName? using the table in WikiUsers. This table is updated whenever a user registers, so users can choose not to register (in which case their webserver login name is used for their signature) or register (in which case that login name is mapped to their WikiName? ).
The same private .htpasswd file used in Foswiki Template Login can be used to authenticate Apache users, using the Apache Basic Authentication support.
Warning: Do not use the Apache htpasswd program with .htpasswd files generated by Foswiki! htpasswd wipes out email addresses that Foswiki plants in the info fields of this file.
Enabling Apache Login using mod_auth
You can use any other Apache authentication module that sets REMOTE_USER. - Use configure to select the
Foswiki::LoginManager::ApacheLoginlogin manager. - Use configure to set up Foswiki to create the right kind of
.htpasswdentries. - Create a
.htaccessfile in thebindirectory.
There is an template for this file in bin/.htaccess.txtthat you can copy and change. The comments in the file explain what need to be done. If you got it right, the browser should now ask for login name and password when you click on the Edit. If .htaccessdoes not have the desired effect, you may need to "AllowOverride All" for the directory inhttpd.conf(if you have root access; otherwise, e-mail web server support)
At this time AccessControls? do not control access to files in the pubarea, unless they are only accessed through theviewfilescript. If yourpubdirectory is set up to allow open access you may want to add.htaccessfiles in there as well to restrict access - You can create a custom version of the UserRegistration form by copying the default topic, and then deleting or adding input tags in your copy. The
name=""parameter of the input tags must start with:"Twk0..."(if this is an optional entry), or"Twk1..."(if this is a required entry). This ensures that the fields are carried over into the user home page correctly. Do not modify the version of UserRegistration shipped with Foswiki, as your changes will be overwritten next time you upgrade.
The default new user template page is in System.NewUserTemplate. The same macros get expanded as in the template topics? . You can create a custom new user home page by creating the Main.NewUserTemplate topic, which will then override the default. - Register yourself in the UserRegistration topic.
Check that a new line with the username and encrypted password is added to the .htpasswdfile. If not, you may have got a path wrong, or the permissions may not allow the webserver user to write to that file. - Create a new topic to check if authentication works.
- Edit the AdminGroup topic in the Main web to include users with system administrator status.
This is a very important step, as users in this group can access all topics, independent of Foswiki access controls.
Logons via Perl authentication modules
You can easily authenticate users against central user repositories via various authentication modules in apache. You need mod_perl support in your apache for this. One example is NIS authentication, but there are many more perl authentication modules available. See http://www.perl.com/pub/a/2003/07/08/mod_perl.html for more info.NIS authentication
See http://www.math.tu-clausthal.de/~matsa/linux/apache-nis/ or http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.htmlLogons via bin/logon
Any time a user requests a page that needs authentication, they will be forced to log on. It may be convenient to have a "logon" link as well, to give the system a chance to identify the user and retrieve their personal settings. It may be convenient to force them to log on. The bin/logon script enables this. If you are using Apache Login, the bin/logon script must be setup in the bin/.htaccess file to be a script which requires avalid user. Once authenticated, it will redirect the user to the view URL for the page from which the logon script was linked.
Sessions
Foswiki uses the CPAN:CGI::Session and CPAN:CGI::Cookie modules to track sessions. These modules are de facto standards for session management among Perl programmers. If you can't use Cookies for any reason, CPAN:CGI::Session also supports session tracking using the client IP address. You don't have to enable sessions to support logins in Foswiki. However it is strongly recommended. Foswiki needs some way to remember the fact that you logged in from a particular browser, and it uses sessions to do this. If you don;t enable sessions, Foswiki will try hard to remember you, but due to limitations in the browsers it may also forget you (and then suddenly remember you again later!). So for the best user experience, you should enable sessions. There are a number of macros available that you can use to interrogate your current session. You can even add your own session variables to the Foswiki cookie. Session variables are referred to as "sticky" variables. -- JosefSiemes - 02 Jun 2009This topic: Sandbox > JosefSiemesUserAuthenticationSupplement
Topic revision: 02 Jun 2009, JosefSiemes
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. 
