• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5481: INCLUDE variable fails to authenticate (integrated) included page when using the fully qualified URL syntax

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine INCLUDE Enhancement No Action Required TWiki:Main.CarlosTarazona n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

-- TWiki:Main/CarlosTarazona - 28 Mar 2008

We are using Windows integrated authentication with the mod_auth_sspi module and ldap contrib to map to wiki names. Integrated authentication is work great but I think we've found a bug with how the INCLUDE variable is implemented. Basically, with integrated authentication the INCLUDE variable fails to authenticate the included page when using the fully qualified URL syntax. It does work when using the topic syntax however. My suspicion is that the credentials being passed to Active Directory are null with the included page and thus fails to authenticate. Note that the Apache service is running under domain admin credentials.

Our setup:

Windows 2003 server
Apache 2.2.4
Twiki 4.2 (used Twiki 4.2 installer for initial setup)

-- TWiki:Main/CarlosTarazona - 28 Mar 2008

Sorry, this is not a bug. This feature is not implemented, and for what I think are very good reasons. If you INCLUDE a topic, then TWiki performs access control itself, against the authorization of the current user. If you INCLUDE an URL, there's an extra HTTP transaction for which some sort of credentials need to be passed. There are two alternatives, neither of which is looking very attractive to me:

  • Pass the current reader's credentials: Acceptable from a security point of view. However, very difficult to implement for some authentication schemes, not implementable at all for e.g. HTTP digest authentication, and for sure not implemented in TWiki. For a workaround for this type of authorization forwarding, consider replacing the INCLUDE with an <iframe src="URL"/> element.
  • Pass the web server's credentials: This is highly dangerous. If the domain admin has some access rights which are different from the reader's, everyone can easily circumvent access control to URL by simply typing INCLUDE{URL} in a Sandbox topic.

Note that TWiki does "shortcut" INCLUDE{URL} to a local file read if the URL is identified as belonging to TWiki's own attachment space. If all you need is to apply the same shortcut to URLs from TWiki's topic space, then you should create a feature request in TWiki's Codev web.

-- TWiki:Main.HaraldJoerg - 30 Mar 2008

Agree with Haralds analysis

No Action

-- TWiki:Main.KennethLavrsen - 26 Jul 2008

ItemTemplate
Summary INCLUDE variable fails to authenticate (integrated) included page when using the fully qualified URL syntax
ReportedBy TWiki:Main.CarlosTarazona
Codebase 4.2.0
SVN Range TWiki-5.0.0, Sun, 09 Mar 2008, build 16496
AppliesTo Engine
Component INCLUDE
Priority Enhancement
CurrentState No Action Required
WaitingFor TWiki:Main.CarlosTarazona
Checkins

TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2008-07-26 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback