| Previous · Next | |
| User | Message |
|
arjan
|
Date: 5/28/2009 5:05 pm · Subject: WebGUI::authen · Rating: 0
I configured my box just like the example in the Blackblog posthttp://www.plainblack.com/tbb/next-basic-auth in the virtual host of my mod_perl. So since the realm is root (/) if I go to any url without user:pass@url I always get prompted for a username and password? Even if the page is viewable for Everyone, I will get prompted. If I'm not a registered user access will be denied. And also the other way around, if I'm a registered user, I will not see Apaches forbidden page, I will go to the site, but WebGUI can still say the content is forbidden because I have insufficient privileges. The privileges are not checked in WebGUI::authen, just if you are a registered user. The rest is left to WebGUI's privileges system. Correct so far? The reason I ask is that I wanted to adapt WebGUI::authen so you can only log in via basic auth, on every page, if you come from a specific ip. In all other cases people go to a public homepage that's visible for everyone. Only if they want to post messages, they have to log in. Now that doesn't seem so easy, because you either enable basic auth for for the whole site or you don't. If you do, everybody has to log in via basic auth. This is an apache configuration and not something you can change easily in authen. The only way I could think of doesn't seem that elegant: Basically you always give access - if no username is defined or - if there's a session It's all handled by WebGUI's privileges system. If username is defined, check the ip, if that's ok, check the user and create a session. Would that work? Are there better ways to go? Kind regards, Arjan. |
| Back to Top |
Rate [ | ]
|
|
JT
|
Date: 5/28/2009 5:45 pm · Subject: Re: WebGUI::authen · Rating: 0
> The reason I ask is that I wanted to adapt WebGUI::authen so you can> only log in via basic auth, on every page, if you come from a > specific > ip. In all other cases people go to a public homepage that's visible > for > everyone. Only if they want to post messages, they have to log in. Now > that doesn't seem so easy, because you either enable basic auth for > for > the whole site or you don't. If you do, everybody has to log in via > basic auth. This is an apache configuration and not something you can > change easily in authen. The only way I could think of doesn't seem > that > elegant: > Basically you always give access > - if no username is defined or > - if there's a session > It's all handled by WebGUI's privileges system. > If username is defined, check the ip, if that's ok, check the user and > create a session. > > Would that work? Are there better ways to go? What you're saying, if I understand correctly, is basically correct. The best and perhaps only way to really do this right would be to add a setting so that WebGUI::Auth would throw an authentication challenge back to the browser on pages where you would normally get a login prompt inline in the page. I didn't do that when I added basic auth because I honestly didn't think anybody would ever use basic auth for anything other than automated scripts. I guess that was short sighted on my part. JT Smith ph: 703-286-2525 x810 fx: 312-264-5382 Create like a god. Command like a king. Work like a slave. |
| Back to Top |
Rate [ | ]
|
|
arjan
|
Date: 5/29/2009 9:40 am · Subject: Re: WebGUI::authen · Rating: 0
He, that does seem the way to go. I'm going to try to write that. Thanx for the idea. jt@plainblack.com wrote: > JT wrote: > > > The reason I ask is that I wanted to adapt WebGUI::authen so you can > > only log in via basic auth, on every page, if you come from a > > specific > > ip. In all other cases people go to a public homepage that's visible > > for > > everyone. Only if they want to post messages, they have to log in. Now > > that doesn't seem so easy, because you either enable basic auth for > > for > > the whole site or you don't. If you do, everybody has to log in via > > basic auth. This is an apache configuration and not something you can > > change easily in authen. The only way I could think of doesn't seem > > that > > elegant: > > Basically you always give access > > - if no username is defined or > > - if there's a session > > It's all handled by WebGUI's privileges system. > > If username is defined, check the ip, if that's ok, check the user and > > create a session. > > > > Would that work? Are there better ways to go? > > > What you're saying, if I understand correctly, is basically correct. > The best and perhaps only way to really do this right would be to add > a setting so that WebGUI::Auth would throw an authentication challenge > back to the browser on pages where you would normally get a login > prompt inline in the page. I didn't do that when I added basic auth > because I honestly didn't think anybody would ever use basic auth for > anything other than automated scripts. I guess that was short sighted > on my part. > > JT Smith > ph: 703-286-2525 x810 > fx: 312-264-5382 > > Create like a god. Command like a king. Work like a slave. > > > > http://www.plainblack.com/webgui/dev/discuss/webguiauthen/1 > ------------------------------------------------------------------------ > > > > |
| Back to Top |
Rate [ | ]
|
