Tags:
access_control1Add my vote for this tag authentication1Add my vote for this tag security1Add my vote for this tag users1Add my vote for this tag create new tag
view all tags

Question

I've installed out-of-the-box TWiki 4.0.2 and I am attempting to lock it down for private usage. I am quite happy using cookie-based auth, but none of the current support articles appear to discuss a cookie-based secure approach.

I want to be sure that I'm not falsely assuming my TWiki will be secure/private with this approach.

Basically, if I put all the twiki/bin scripts into $TWiki::cfg{AuthScripts}, will this mean that no-one can do anything unless they log in? i.e. is this a certain path to securing my TWiki and all its webs? Are there any twiki/bin scripts I need to keep out of AuthScripts to allow login to work?

thanks! smile Nathan

Related question and answers

I realise this sounds a bit like an FAQ, but the questions I have read from the Support web (see below) don't seem to address an "all locked down by cookie auth" approach. Questions I have read/looked at are:

Environment (not really relevant to this one, I think? smile

TWiki version: TWikiRelease04x00x02
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS: Debian
Web server: Apache
Perl version: v5.8.4
Client OS: n/a
Web Browser: n/a
Categories: Htaccess, Permissions, Registration, Authentication, Security, Authorisation

-- NathanBailey - 11 Jun 2006

Answer

ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

If you put all scripts into $TWiki::cfg{AuthScripts}, then nobody can do anything with your TWiki unless she logs in. The only thing you need to consider is that nobody can register himself - RegisterOnViewRestrictedSite has a solution for that (copy the HTML version of the registration page to a static page), in addition you need to exclude register from $TWiki::cfg{AuthScripts}.

The important additional thing to keep in mind is that you need to configure your Apache correctly so that it doesn't serve TWiki data directly. The sample .htaccess pages in the distribution show how to do that: There are Deny from all directives for the data, lib, locale, and templates subdirectories.

-- HaraldJoerg - 11 Jun 2006

Don't forget to put the pub directory under authentication (with the same require valid-user.)

-- PeterThoeny - 12 Jun 2006

Wouldn't it be simpler to use global ACL?

-- MeredithLesly - 12 Jun 2006

Would you care to sketch the ACL solution, just for comparison?

-- SteffenPoulsen - 16 Jun 2006

Also if you need high grade security, I would recomend implementing TWikiAccessControl section "Controlling Access to Attachments".

-- MarcoPoli - 13 Jul 2006

WebForm
SupportStatus AnsweredQuestions
Attachments Attachments
Topic attachments
I Attachment History Action Size Date Who Comment
PDFpdf C-Examples.pdf r1 manage 188.4 K 2007-06-19 - 12:24 UnknownUser  
Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r10 - 2007-08-27 - WhitBlauvelt
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.