I've had a trac server running for about a year now - chugging along just as expected. Today, I implemented basic authorization on the apache server that trac runs under.
Trac now picks up the user as authenticated by Apache, and doesn't allow either logout or a login.
I tried to create an apache user with the same name and password as a trac user, but the behavior remained - I can't access trac.
How do I align trac with Apache authorization?
One of the drawbacks of HttpAuth is the inability to log out (short of closing your browser, or clearing browser auth). You probably want to grab AccountManagerPlugin from trac-hacks.org and set it up with the form-based login. That gives you the ability to log out.
You will need to point trac to the htpasswd file for Apache users and then set permissions to access the login page through Apache. You can find more information here.
Related
When you protect an area of your document root using either the server configuration or .htaccess, the server prompts for a username and password when someone requests those files from a browser. If the password matches the one from the authentication provider for that user, the documentation at http://httpd.apache.org/docs/2.2/howto/auth.html says that apache will set environment variables for that user. In my case I'm building a php app, and using phpinfo() I gather that the environment variables set are are REDIRECT_AUTHENTICATE_SAMACCOUNTNAME, AUTHENTICATE_SAMACCOUNTNAME (Using active directory as authentication provider), and REMOTE_USER. I believe this is what prevents the user from being prompted again and again on each subsequent request.
What I don't understand is how apache matches requests from a user with the environment variables set for that user, and also when and how it knows how to clear those variables. I doesn't appear to use cookies, because I cleared all the cookies for the domain in question, and still it doesn't ask me to reauthenticate unless I actually close the browser.
Ultimately I'm going to be working with php to get the userid and to maintain state, but since php is getting the information from the apache information, I'd like to know about that context, and I don't seem to be able to find these details. Thanks in advance.
Look at the http headers your browser is sending. After you have supplied a username and password, your browser will continue sending those details to that site until your browser session ends, or longer if you tell your browser to remember the credentials.
i wondering, it is possible to redirect ALL WEBSITE to a URL(authentication page) in localhost (wampserver)..
after client login (in the authentication page) with correct ID and PASSWORD, then the client will be able to access to any WEBSITE.
You could setup basic authentication in apache. Edit httpd.conf by clicking through from the WampServer icon and follow these instructions. However, instead of using <Directory "/var/www/html/protected"> and doing it for each vhost, use <Location />. This is because each site will match that location directive so will all need to run the same authentication before sites will be shown.
If you didn't want to use basic auth in this manner, then I'd suggest you setting up shared authentication on your sites (like stack uses OpenID) or looking at something like CORS, but that seems like a lot of work.
The final thing I'd point out is IP restriction. We have some clients/staff/etc that access our dev servers but it's all locked down to specific IPs and luckily so far everyone who's needed it has had a static IP. This may not be an option.
I'm developing a web page using Flask, on an Apache server where the Server is enforcing basic authentication. That is, a user accessing a page on the server is presented with a login screen by Apache, and the login credentials checked prior to passing the request to my page.
The question is whether, and how, I can access the user name from my flask/python code. When using PHP instead of flask/python, on the same server, it is straightforward: The username is a available as a $_SERVER variable (available twice it seems, as the value for keys PHP_AUTH_USER, and also AUTHENTICATE_CN). I'm guessing/hoping that Apache would similarly make the authenticated username available to flask (perhaps through WSGI somehow), but I can't find it.
I've tried displaying all the key/value pairs in request.headers, but the username isn't there. Is there somewhere else I should look?
You can find authentication information in Flask from the request object.
from flask import request
def my_view():
auth = request.authentication
username = auth.username
password = auth.password
...
Note however that if you're using apache mod_wsgi, you'll need to turn on the WSGIPassAuthorization directive in your virtualhost config. Otherwise apache will consume the authentication header and won't pass it to the WSGI layers.
<virtualhost *:443>
...
WSGIPassAuthorization On
...
</virtualhost>
more info here and here.
I eventually found it, it's available as:
request.environ.get('REMOTE_USER')
Not knowing this wasn't my only problem however, in case
it's useful for anyone, here's the story:
Firstly I tried to find out if WSGI was passing the authentication
info through to flask. This answer to a different question was very
helpful (it shows you how to see everything WSGI is providing before
it gets to flask):
https://stackoverflow.com/a/1151129/1956954
When I list the WSGI info as per that answer, it didn't have the
user information. But that turned out to be because the setup for
apache basic authentication in the relevant sites-enabled apache
config file was configured for the document root (a htdocs folder).
Since I'm using WSGI to redirect the relevant requests to a folder
outside of the document route, I didn't actually have authentication
turned on for my page. (And I didn't notice that because I had accessed
some pages under htdocs, been forced to authenticate, and assumed that
I wasn't being asked to authenticate when I went to my flask pages
because the authentication had been cached).
Creating another section in the relevant apache sites-enabled
file setting up authentication for my flask directories enabled authentication
Currently, I have decided to use Drupal as the primary login area where users can do stuff. Problem is, I want to automatically allow for the logging in of users using their cpanel, whm or whmcs login details. Anyone?
I really don't suggest you to do this.
You will only introduce more risks to all your systems, even if Drupal is a very secure system.
There are sometimes authentication security issues, with cPanel drupal and whmcs. Now, imagine those security issues + the ones of drupal, + the ones on whmcs...
...with all these insecurity layers combined, it's a real security bomb, and not something that will help your customers that much you are going to create. ...plus your modules for this will probably experience someday security issues also.
I suggest to take a look at other web hosts : if they don't do this, and if even whmcs do not bridge with vbulletin on their own website, there is a reason for this! ;-)
There seems to be no module for this.
Also Drupal seems not to provide a direct way to connect 3rd party login systems.
Having a look at the LDAP integration (file ldapauth.module) in the package, you can use the hook hook_form_alter. The check whether the form is using user_login_authenticate_validate in the validate entry and replace it with their own authentication function.
Basically you can use the ldapauth.module file as a basis and start with the ldapauth_login_authenticate_validate function.
In this function you have to add code that uses $form_values['name']; and $form_values['pass'] and verify them against your cPanel database.
A completly different approach would be to write a cPanel module to create Drupal users and update the accounts. To get started you can have a look at writing cPanel modules.
I have a website on Win 2008 and IIS7. Some directories have admin specific pages and I don't want regular site users to be able to access them.
What I would like is, if the user tries to load a page from a specific directory, for the site to popup a windows authentication window if the user has not not already authenticated.
Can this be done? Preferably just by setting web.config keys?
Yes, use <location></location> tags to override the current IIS settings at that level and set new ones.
Reference: http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx