5 TWiki User Authentication.docx
《5 TWiki User Authentication.docx》由会员分享,可在线阅读,更多相关《5 TWiki User Authentication.docx(11页珍藏版)》请在冰点文库上搜索。
5TWikiUserAuthentication
TWikiUserAuthentication
TWikisiteaccesscontrolanduseractivitytrackingoptions
∙TWikiUserAuthentication
oOverview
oPasswordManagement
oUserMapping
oUserRegistration
oLoginManagement
▪NoLogin(selectnoneinconfigure)
▪TemplateLogin(selectTWiki:
:
Client:
:
TemplateLogininconfigure)
▪EnablingTemplateLogin
▪ApacheLogin(selectTWiki:
:
Client:
:
ApacheLogininconfigure)
▪EnablingApacheLoginusingmod_auth
▪Logonsviabin/logon
oSessions
▪Getting,Setting,andClearingSessionVariables
▪CookiesandTransparentSessionIDs
oTWikiUsernamevs.LoginUsername
oChangingPasswords
oChangingE-mailAddresses
oControllingaccesstoindividualscripts
Howtochooseanauthenticationmethod
Overview
Authentication,or"login",istheprocessbywhichauserletsTWikiknowwhotheyare.
Authenticationisn'tjusttodowithaccesscontrol.TWikiusesauthenticationtoidentifyusers,soitcankeeptrackofwhomadechanges,andmanageawiderangeofpersonalsettings.Withauthenticationenabled,userscanpersonaliseTWikiandcontributeasrecognisedindividuals,insteadofshadows.
TWikiauthenticationisveryflexible,andcaneitherstandaloneorintegratewithexistingauthenticationschemes.YoucansetupTWikitorequireauthenticationforeveryaccess,oronlyforchanges.Authenticationisalsoessentialforaccesscontrol.
QuickAuthenticationTest-Usethe%USERINFO%variabletoreturnyourcurrentidentity:
∙Youareguest,TWikiGuest,
TWikiuserauthenticationissplitintofoursections;passwordmanagement,usermapping,userregistration,andloginmanagement.Passwordmanagementdealswithhowuserspersonaldataisstored.Registrationdealswithhownewusersareaddedtothewiki.Loginmanagementdealswithhowuserslogin.
Onceauserisloggedon,theycanberememberedusingaClientSessionstoredinacookieinthebrowser(orbyotherlesselegantmeansiftheuserhasdisabledcookies).Thisavoidsthemhavingtologonagainandagain.
TWikiuserauthenticationisconfiguredthroughtheSecuritySettingspaneintheconfigureinterface.
PleasenoteFileAttachmentsarenotprotectedbyTWikiUserAuthentication.
Tip:
TWiki:
TWiki.TWikiUserAuthenticationSupplementonTWiki.orghassupplementaldocumentationonuserauthentication.
PasswordManagement
Asshipped,TWikisupportstheApache'htpasswd'passwordmanager.Thismanagersupportstheuseof.htpasswdfilesontheserver.ThesefilescanbeuniquetoTWiki,orcanbesharedwithotherapplications(suchasanApachewebserver).Avarietyofpasswordencodingsaresupportedforflexibilitywhenre-usingexistingfiles.SeethedescriptivecommentsintheSecuritySettingssectionofthe[[/cgi-bin/configure][configure]interfaceformoredetails.
Youcaneasilypluginalternatepasswordmanagementmodulestosupportinterfacestootherthird-partyauthenticationdatabases.
UserMapping
Oftenwhenyouareusinganexternalauthenticationmethod,youwanttomapfromanunfriendly"loginname"toamorefriendlyWikiName.Also,anexternalauthenticationdatabasemaywellhaveuserinformationyouwanttoimporttoTWiki,suchasusergroups.
Bydefault,TWikisupportsmappingofusernamestowikinames,andsupportsTWikigroupsinternaltoTWiki.Ifyouwant,youcanpluginanalternateusermappingmoduletosupportimportofgroupsetc.
UserRegistration
Newuserregistrationusesthepasswordmanagertosetandchangepasswordsandstoreemailaddresses.Itisalsoresponsibleforthenewuserverificationprocess.theregistrationprocesssupportssingleuserregistrationviatheTWikiRegistrationpage,andbulkuserregistrationviatheBulkRegistrationpage(foradminsonly).
Theregistrationprocessisalsoresponsibleforcreatingusertopics,andsettingupthemappinginformationusedbytheUserMappingsupport.
Note:
IfyouarerestrictingtheentireMainwebtoTWikiGuest,youarerequiredtoaddTWikiRegistrationAgenttoALLOWWEBCHANGEinyourMain/WebPreferences.Bydoingso,newusersareabletoregisterwithoutanyerrors.
LoginManagement
Loginmanagementcontrolsthewayusershavetologin.Therearethreebasicoptions;nologin,loginviaaTWikiloginpage,andloginusingthewebserverauthenticationsupport.
NoLogin(selectnoneinconfigure)
Doesexactlywhatitsaysonthetin.Forgetaboutauthenticationtomakeyoursitecompletelypublic-anyonecanbrowseandeditfreely,inclassicWikistyle.AllvisitorsaregiventheTWikiGuestdefaultidentity,soyoucan'ttrackindividualuseractivity.
Note:
Thissetupisnotrecommendedonpublicwebsitesforsecurityreasons;anyonewouldbeabletochangesystemsettingsandperformtasksusuallyrestrictedtoadministrators.
TemplateLogin(selectTWiki:
:
Client:
:
TemplateLogininconfigure)
TemplateLoginasksforausernameandpasswordinawebpage,andprocessesthemusingwhateverPasswordManageryouchoose.Userscanloginandlogout.ClientSessionsareusedtorememberusers.Userscanchoosetohavetheirsessionrememberedsotheywillautomaticallybeloggedinthenexttimetheystarttheirbrowser.
EnablingTemplateLogin
1.Usetheconfigureinterfaceto
1.selecttheTWiki:
:
Client:
:
TemplateLoginloginmanager(ontheSecuritySettingspane).
2.selecttheappropriatepasswordmanagerforyoursystem,orprovideyourown.
2.RegisteryourselfintheTWikiRegistrationtopic.
Checkthatthepasswordmanagerrecognisesthenewuser.Ifyouareusing.htpasswdfiles,checkthatanewlinewiththeusernameandencryptedpasswordisaddedtothe.htpasswdfile.Ifnot,youprobablygotapathwrong,orthepermissionsmaynotallowthewebserverusertowritetothatfile.
3.Createanewtopictocheckifauthenticationworks.
4.EdittheTWikiAdminGrouptopicintheMainwebtoincludeuserswithsystemadministratorstatus.
Thisisaveryimportantstep,asusersinthisgroupcanaccessalltopics,independentofTWikiaccesscontrols.
TWikiAccessControlhasmoreinformationonsettingupaccesscontrols.
AtthistimeTWikiAccessControlscannotcontrolaccesstofilesinthepubarea,unlesstheyareonlyaccessedthroughtheviewfilescript.Ifyourpubdirectoryissetupinthewebservertoallowopenaccessyoumaywanttoadd.htaccessfilesintheretorestrictaccess.
YoucancreateacustomversionoftheTWikiRegistrationformbydeletingoraddinginputtags.Thename=""parameteroftheinputtagsmuststartwith:
"Twk0..."(ifthisisanoptionalentry),or"Twk1..."(ifthisisarequiredentry).Thisensuresthatthefieldsarecarriedoverintotheuserhomepagecorrectly.
YoucancustomizethedefaultuserhomepageinNewUserTemplate.Thesamevariablesgetexpandedasinthetemplatetopics
ApacheLogin(selectTWiki:
:
Client:
:
ApacheLogininconfigure)
UsingthismethodTWikidoesnotauthenticateusersinternally.InsteaditdependsontheREMOTE_USERenvironmentvariable,whichissetwhenyouenableauthenticationinthewebserver.
TheadvantageofthisschemeisthatifyouhaveanexistingwebsiteauthenticationschemeusingApachemodulessuchasmod_auth_ldapormod_auth_mysqlyoucanjustplugindirectlytothem.
Thedisadvantageisthatbecausetheuseridentityiscachedinthebrowser,youcanlogin,butyoucan'tlogoutagainunlessyourestartthebrowser.
TWikimapstheREMOTE_USERthatwasusedtologintothewebservertoaWikiNameusingthetableinTWikiUsers.Thistableisupdatedwheneverauserregisters,souserscanchoosenottoregister(inwhichcasetheirwebserverloginnameisusedfortheirsignature)orregister(inwhichcasethatloginnameismappedtotheirWikiName).
Thesameprivate.htpasswdfileusedinTWikiTemplateLogincanbeusedtoauthenticateApacheusers,usingtheApacheBasicAuthenticationsupport.
Warning:
DonotusetheApachehtpasswdprogramwith.htpasswdfilesgeneratedbyTWiki!
htpasswdwipesoutemailaddressesthatTWikiplantsintheinfofieldsofthisfile.
EnablingApacheLoginusingmod_auth
YoucanuseanyotherApacheauthenticationmodulethatsetsREMOTE_USER.
1.UseconfiguretoselecttheTWiki:
:
Client:
:
ApacheLoginloginmanager.
2.UseconfiguretosetupTWikitocreatetherightkindof.htpasswdentries.
3.Createa.htaccessfileinthetwiki/bindirectory.
Thereisantemplateforthisfileintwiki/bin/.htaccess.txtthatyoucancopyandchange.Thecommentsinthefileexplainwhatneedtobedone.
Ifyougotitright,thebrowsershouldnowaskforloginnameandpasswordwhenyouclickontheEdit.If.htaccessdoesnothavethedesiredeffect,youmayneedto"AllowOverrideAll"forthedirectoryinhttpd.conf(ifyouhaverootaccess;otherwise,e-mailwebserversupport)
AtthistimeTWikiAccessControlsdonotcontrolaccesstofilesinthepubarea,unlesstheyareonlyaccessedthroughtheviewfilescript.Ifyourpubdirectoryissetuptoallowopenaccessyoumaywanttoadd.htaccessfilesinthereaswelltorestrictaccess
4.YoucancreateacustomversionofTWikiRegistrationbydeletingoraddinginputtags.Thename=""parameteroftheinputtagsmuststartwith:
"Twk0..."(ifthisisanoptionalentry),or"Twk1..."(ifthisisarequiredentry).Thisensuresthatthefieldsarecarriedoverintotheuserhomepagecorrectly.
YoucancustomizethedefaultuserhomepageinNewUserTemplate.Thesamevariablesgetexpandedasinthetemplatetopics
5.RegisteryourselfintheTWikiRegistrationtopic.
Checkthatanewlinewiththeusernameandencryptedpasswordisaddedtothe.htpasswdfile.Ifnot,youmayhavegotapathwrong,orthepermissionsmaynotallowthewebser