--
TWiki:Main/CarlosTarazona - 28 Mar 2008
We are using Windows integrated authentication with the mod_auth_sspi module and ldap contrib to map to wiki names. Integrated authentication is work great but I think we've found a bug with how the INCLUDE variable is implemented. Basically, with integrated authentication the INCLUDE variable fails to authenticate the included page when using the fully qualified URL syntax. It does work when using the topic syntax however. My suspicion is that the credentials being passed to Active Directory are null with the included page and thus fails to authenticate. Note that the Apache service is running under domain admin credentials.
Our setup:
Windows 2003 server
Apache 2.2.4
Twiki 4.2 (used Twiki 4.2 installer for initial setup)
--
TWiki:Main/CarlosTarazona - 28 Mar 2008
Sorry, this is not a bug. This feature is not implemented, and for what I think are very good reasons. If you INCLUDE a topic, then TWiki performs access control itself, against the authorization of the current user. If you INCLUDE an URL, there's an extra HTTP transaction for which some sort of credentials need to be passed. There are two alternatives, neither of which is looking very attractive to me:
- Pass the current reader's credentials: Acceptable from a security point of view. However, very difficult to implement for some authentication schemes, not implementable at all for e.g. HTTP digest authentication, and for sure not implemented in TWiki. For a workaround for this type of authorization forwarding, consider replacing the INCLUDE with an
<iframe src="URL"/>
element.
- Pass the web server's credentials: This is highly dangerous. If the domain admin has some access rights which are different from the reader's, everyone can easily circumvent access control to URL by simply typing INCLUDE{URL} in a Sandbox topic.
Note that TWiki
does "shortcut" INCLUDE{URL} to a local file read if the URL is identified as belonging to TWiki's own attachment space. If all you need is to apply the same shortcut to URLs from TWiki's topic space, then you should create a feature request in TWiki's
Codev web.
--
TWiki:Main.HaraldJoerg - 30 Mar 2008
Agree with Haralds analysis
No Action
--
TWiki:Main.KennethLavrsen - 26 Jul 2008