Question

The configure script documents AuthScripts as such :

Comma-separated list of scripts that require the user to authenticate. 
With TemplateLogin, any time an unauthenticated user attempts to access one of these scripts, they will be redirected to the login script. 
With ApacheLogin, they will be redirected to the logon script (note login and logon; they are different scripts). 
This approach means that only the logon script needs to be specified as require valid-user when using Apache authentication.

However, I'm testing with twiki 4.1.2 where LoginManager is TWiki::Client::ApacheLogin and AuthScript contains : attach,edit,manage,rename,save,upload,viewauth,rdiffauth. In apache config, only logon is protected by a require valid-user

Now, if I try editing a protected page, instead of being redirected to the logon (which should trigger apache auth), I get an oops page :

Access Denied
Access check on Main.TWikiGroups failed. Action "edit": authentication required. 

Environment

-- OlivierBerger - 12 Aug 2008

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

When you select ApacheLogin in ApacheConfigGenerator, the generated conf includes:

# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view are not authenticated.
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
   require valid-user
</FilesMatch>

Yes, that is at odds with /bin/configure's description of {AuthScripts}, but it worked for me.

-- SeanCMorgan - 12 Aug 2008