Recent Changes
Recent Changes · Search:
HTTP authentication
Raised by
Adrianna Pinska?
Date opened
Monday, 2 June 2008
I am running the wikipublisher server on my work intranet. Because of the setup of our webserver, I need to use HTTP authentication in all the page and image fetches. I have added this as an option to our local setup, and I would like to submit a proper patch to Wikipublisher so that we can upgrade safely in the future.

I had to make changes to the server code. In the configuration package, I added configuration for an http username and password (and a boolean setting to turn usage on and off). Then I needed to use these settings in all requests to fetch pages or images from the wiki.

It would be helpful if the wiki host could pass on the user’s credentials, if the user can access something that an unprivileged user can’t. It would make sense if, while fulfilling a request issued by a particular user, wikipublisher acted with the privileges of that user, and not an unprivileged user.

Proposed solution
At the moment, Wikipublisher supports PmWiki’s password-based security and configurations where the wiki server grants access to requests from the wikibook server’s IP address. Currently there is no built in mechanism for passing a user name and password from the wiki to the wikibook server. To achieve this we propose to:
  • create a plug-in for PmWiki that passes a user name and encrypted password to the wikibook server as part of the PDF request
  • modify the wikibook server to detect the username, decrypt the password and add an HTTP authorization request to the GETs

It could be useful to add this functionality to Wikipublisher, if all the details can be worked out in a satisfying way. HTTP auth is relatively commonly used on company fileservers running Unix, and since I see PmWiki and Wikipublisher as attractive intranet apps, I think there’s a good chance that someone else will run into this problem. It can be very hard to convince sysadmins to poke a hole in a simple and elegant security setup. Giving the server the ability to authenticate seems the more “correct” solution.

Further investigation needed.
Date closed

« 00124 · Edit Form · 00126 »

Page last modified on 04 June 2008 at 10:10 AM