• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4487: As described in TWikiScripts auth protect rest

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   minor 4.2.0

Edit Form Data

Reported By:
Applies To:
Current State:
Waiting For:
Target Release:
Released In:


TWikiScripts suggests to protect rest

So our suggested http config should show this then

Will also update the TWiki:TWiki.ApacheConfigGenerator

-- TWiki:Main/KennethLavrsen - 22 Aug 2007


Lavr> <SvenDowideit> Lavr, wasn't the rest script supposed to be added to the AuthScripts? - YES I added it to the apache auth. But not to the TWiki.spec because I was not sure about that.
<CDot> Lavr: it should not be added to AuthScripts in twiki.spec
<CDot> redirecting a rest script to a login page doesn't make much sense :-(
<Lavr> Good. Then I have not made anything wrong in that respect.


I think I dissagree. Adding the rest script to {AuthScripts} does not redirect to login - because RestCgi does not use UI::run - instead it implements its own set of oddities.

Releasing with RestCgi having totally different security settings depending on the LoginManager choice, is a security issue waiting to happen, And one that I recon we can fix.

I propose ammending the code in rest, so that it works similarly to the UI::run (ie, if listed in {AuthScripts} it will refuse to continue), and to add the getSession bits so that the ?username etc parameters are only needed if the user has not already got a session. (ok, i'll do it up to the point that major code changes are needed, and then cut our losses)

Crawford, Kenneth can you please comment?

-- TWiki/Main.SvenDowideit - 04 Sep 2007

I have never used rest - I have no clue how it works - so no oppinion from me. I reacted to a security email pointing to the fact that the documentation suggests to protect rest.

-- TWiki:Main.KennethLavrsen - 04 Sep 2007

Go for it. I split off rest from the normal UI::run process because of its unique requirements in the first place (the redirects were really screwing up my JS) so it should not be merged back; but it should respect config settings.

-- TWiki:Main.CrawfordCurrie - 05 Sep 2007

done, both return error on no-auth, and using sessions if they exist.

-- TWiki:Main.SvenDowideit - 15 Sep 2007

Summary As described in TWikiScripts auth protect rest
ReportedBy TWiki:Main.KennethLavrsen

SVN Range TWiki-4.2.0, Wed, 22 Aug 2007, build 14581
AppliesTo Engine

Priority Normal
CurrentState Closed

Checkins TWikirev:14592 TWikirev:14870
TargetRelease minor
ReleasedIn 4.2.0
Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r10 - 2008-01-22 - KennethLavrsen
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback