SID-02017: Authenticating individual link pages

Status:	Answered	TWiki version:	6.0.1	Perl version:	5.005
Category:	CategoryAuthentication	Server OS:	CentOS	Last update:	10 years ago

Hi,

I have created a web like below:

http://xxxxxxx/do/view/MyWeb/WebHome

Inside this I have a child topic :

http://xxxxxxxx/do/view/TWiki/MyChildPage

If a user clicks the first link (web) he is asked to authenticate. But if he clicks the second link he is allowed to view without authentication.

I have set http://xxxxxxxx/do/view/MyWeb/WebPreferences

Set ALLOWWEBVIEW = MyGroup

Can you please help us to make sure that each page is authenticated.

Many thanks, Dwaraka.

-- Dwarakanathan Sankaran - 2015-01-29

Discussion and Answer

This sounds ... well... strange, so I'd like to check whether I understand your question correctly: You want your users to enter their password on every view request. Or maybe even if the same user reloads the same page.

This it is very likely to annoy your users. And therefore, it isn't well supported in TWiki (or any other web application I know of).

For the moment, I'll just explain why the usual methods of TWiki authentication fail to achieve that goal:

• With Apache login, the browser remembers the password once the user enters it, and from there on sends it with every request to the same domain ("domain" as defined in Apache configuration). It does so under the hood, there's no way how TWiki could prevent that from happening. From TWiki's point of view, every page is authenticated because the web server can't distinguish whether the browser actually prompted the user to enter the password for the current URL.
• With template login, authentication is based on "sessions" which are usually stored in cookies. Cookie sessions are a standard technique by which applications can bolt on authentication on top of the HTTP transport mechanism an without cooperation of the web server. One can switch sessions off, but this does not help: The authentication process itself works with HTTP redirections. Viewing a page which requires authentication redirects you to the login page, and after login you are "redirected back" - only that there is no concept of "back" without a session. When coming "back", TWiki has already forgotten about you and you are once again redirected to the login page. Repeat ad nauseam.

There are ways to coerce Apache to re-authenticate every view, and to make TWiki log you out after every request. But both require heavy lifting, i.e. programming, of login handlers. I can't recommend this.

-- Harald Jörg - 2015-01-30

Thanks Harold.

Sorry maybe I could not explain properly.

Let’s say my TWiki has one web( say http://twiki/do/view/web) and one child topic inside it (say http://twiki/do/view/TWiki/childpage).

Mr X is not a twiki user but somehow he knows the child link(http://twiki/do/view/Twiki/childpage ). If he hits this page directly he is able to view without even having a session or authentication.

The way I was able to protect it. Is after creating a new topic then go to More Topic Options->Edit Settings-> Set ALLOWTOPICVIEW = mygroup.

Problem is I cannot go and add this to every topic. There should be a default option for this.

Please note that for http://twiki/do/view/web we added Set ALLOWWEBVIEW in the web preferences.

So Mr X if clicks the web he is asked to login before he can view. We expected all the pages under that web should behave in the same way be default without having to set ALLOWTOPICVIEW in each and every topic

Many thanks, Dwaraka.

-- Dwarakanathan Sankaran - 2015-01-30

Ok, now I think I understand... that makes much more sense.

There's one thing still confusing me: You mention http://twiki/do/view/MyWeb and a childpage http://twiki/do/view/TWiki/MyChildPage. That's not how access control with webs works. The pages in http://twiki/do/view/MyWeb all have URLs like http://twiki/do/view/MyWeb/MyChildPage, and the page http://twiki/do/view/TWiki/MyChildPage belongs to the TWiki web. So, to restrict access to http://twiki/do/view/TWiki/MyChildPage, you'd need to add the ALLOWWEBVIEW setting to http://twiki/do/view/TWiki/WebPreferences!

However, maybe you intended to write http://twiki/do/view/MyWeb/MyChildPage? In that case, your surprise is justified, because setting ALLOWWEBVIEW in the web preferences topic http://twiki/do/view/MyWeb/WebPreferences should indeed force authentication for every page in this web. I could only ask to double check the syntax of the setting:

1. Three spaces
2. A '*'
3. One space
4. Set ALLOWWEBVIEW = Main.MyGroup

I admit that it isn't easy to describe preference settings without risking that they come into effect into our dialog...

-- Harald Jörg - 2015-01-31

Probably that is the main problem. The link which is created for a new page is not a child link under MyWeb. In stead it is directly under http://twiki/do/view/TWiki.

I have double checked the setting ALLOWWEBVIEW is fine. In fact after adding that the authentication of MyWeb was enabled.

Can you provide some hints on why the child pages are being created like that.

The way I creating a new page is as follows:

1. Edit MyWeb 2. Type a wiki word and save 3. Click the wiki word to create MyChilidPage

-- Dwarakanathan Sankaran - 2015-02-04

Do you add a WikiWord in a title="..." of a dashboard? If you do it will point to the TWiki web because the dashboard elements are included from the TWiki web. If you do, make sure to prefix the web name before the WikiWord, such as %WEB%.MyChildPage instead of just MyChildPage.

-- Peter Thoeny - 2015-02-04

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- Peter Thoeny - 2015-12-03

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.