xwiki-devs

xwiki-devs@xwiki.org

9400 discussions

Re: [xwiki-devs] Access password of current user

by David Delbecq

Indeed, i forgot that in http/basic auth, user/pass are provided by browser on each and every request made to server. This solves my problem on finding the user / pass and i don't have to keep it in memory. Since i can use container based security + jboss basic auth, i suppose this solves my issue without requiring complex trust services. Will give it some tries. Thank you. ----- Mail original ----- De: "Jerome Velociter" <jerome(a)winesquare.net> À: "XWiki Developers" <devs(a)xwiki.org> Envoyé: Mercredi 20 Juin 2012 10:33:58 Objet: Re: [xwiki-devs] Access password of current user On Wed, Jun 20, 2012 at 9:54 AM, David Delbecq <david.delbecq(a)meteo.be>wrote: > > Hello all, > > if someone has access to restricted xwiki area (escalation or any other > way), this someone could just create a javascript wiki page using > skinextension, that will grab password from login form and send it anywhere > in the wiki for later retrieval. So i don't feel like i create any security > hole there. > If a user has access to the server, he could just feed it with it's own > XwikiAuthService or LDAP server that record password before forwarding to > real ldap server. > For me none of this arguments legitimize storing passwords in clear. > > Our company has no kerberos, ntlm, etc server running, so i can't easily > use such solution. Removing password for authentication on background > service is no option either, as wiki will be a portal to those services, > but some operation still need user to navigate to those services. For > example, a webdav service: listing in xwiki page of a folder content should > be done using xwiki current user's priviledges (xwiki is the http client), > but when user want to retrieve a specific file or want to mount the webdav > service on his workstation, he access the webdav service directly. > > Using "unsecure" password is no option either, all users in the company > are supposed to use same password for all services (ldap central > authentication). > > > > Keep in mind, the only things i have write access to is a few jboss > servers, their configuration, and the webapp running on them. All > applications (except unfortunately xwiki) use container based > authentication. I already replied to say XWiki supports container based authentication throught the AppServerTrusted authenticator. What's missing ? If someone has doc on how to forward credentials from one webapp to another > over http(s), i'll be glad to prefer it If you use container based authentication, I imagine you should be able to copy over the authorization header from the originating request to the one you create in your HTTP client (since I understand you are making HTTP calls to the tiers apps). Jerome > , but the only documentions on jboss/sso i have found so far assume all > request come from browser! Kerberos or similar service, while a good > solution as supported by jboss (but "experimental" in xwiki), afaik, > requires to add additionnal schemas to ldap so tickets can be stored. And i > know from experience that if i request such service installed and > configured on our central server, i am not sure to get them before next > year. > > > I understand your concerns, i do not like the idea of storing password in > memory. But i see no viable solution for now to have our xwiki be a portal > to various services on behalf of it's current user. > > Thank you > David Delbecq > ----- Mail original ----- > > De: "Jerome Velociter" <jerome(a)winesquare.net> > À: "XWiki Developers" <devs(a)xwiki.org> > Envoyé: Mardi 19 Juin 2012 15:16:54 > Objet: Re: [xwiki-devs] Access password of current user > > On Tue, Jun 19, 2012 at 2:58 PM, David Delbecq <david.delbecq(a)meteo.be > >wrote: > > > Hello, > > > > > > unfortunately, we don't have any explicit sso service currently running. > > In the past, we simply asked the container (tomcat) to manage > > authentication of users for all our webapplication and we followed tomcat > > directions on how to share principal for all applications ( > > > http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Single_Sign_On_Va… > ). > > This works well when all application use container authentication and the > > only client is the user's web browser. Unfortunately, things will change > as > > we will base our intranet on xwiki instead of having separate spread > > applications the user needs to connect to. This mean the web server (now > > jboss) will be the http client of all other services, and thus realm > based > > sso won't work. For some of those service we use generic technical > account, > > so no problem, we just store the password. But for some other, we must > > transmit the user / password of current xwiki user so xwiki is seen by > this > > service as this user. > > > > And none of those behind the scene applications were ever configured to > > use kerberos or anything alike. Moreover, i would like to avoid the > > nightmare of maintaining such a service when simply forwaring user / pass > > to next service would solve my problems :) > > > > Storing plain-text user password is never a good idea, be it on the > database, filesystem or in memory. > > If you store passwords in the session, some XWiki applications could read > them, someone in your organization with programming access level can access > them, a hacker that escalate to have access to the machine or to > programming rights in the application can read them, etc. > > Jerome > > > > > > > Regards, > > David Delbecq > > > > ----- Mail original ----- > > > > De: "Guillaume Lerouge" <guillaume(a)xwiki.com> > > À: "XWiki Developers" <devs(a)xwiki.org> > > Envoyé: Mardi 19 Juin 2012 14:40:16 > > Objet: Re: [xwiki-devs] Access password of current user > > > > Hi David, > > > > which SSO service dou you use internally? XWiki authenticators already > > exist for CAS, Kerberos and NTLM, maybe you could draw inspiration from > > them. > > > > Guillaume > > > > On Tue, Jun 19, 2012 at 1:54 PM, David Delbecq <david.delbecq(a)meteo.be > > >wrote: > > > > > > > > Hello, > > > > > > I was hoping that somehow, when submitted via the form, password gets > > > recorded until the end of the session. We can't afford, for the sake of > > > user experience, to ask password every time user need to access a > hidden > > > system he is not even supposed to know is separate from the wiki. > That's > > > why we are writing some macro / components so that it's xwiki that > access > > > those system for him. This include various webservices, a documents > > storage > > > and so on. We try to keep a single sign on policy. Of course, i don't > > want > > > user password stored anywhere on disks, but keeping it in user session > > > seems a good trade-of for me. > > > > > > I plan thus to create my onw xwikiauthservice that delegates to ldap > > > service and store this in user session. > > > > > > > > > ----- Mail original ----- > > > > > > De: "Jerome Velociter" <jerome(a)winesquare.net> > > > À: "XWiki Developers" <devs(a)xwiki.org> > > > Envoyé: Mardi 19 Juin 2012 11:53:42 > > > Objet: Re: [xwiki-devs] Access password of current user > > > > > > Hi, > > > > > > Fortunately, you can't. You can only access/verify a hashed version of > > > the password. > > > > > > Note that asking for a password again is not necessarily a bad UX, > > > especially if it is to allow access to a sensitive area/operation. > > > > > > Cheers, > > > Jerome. > > > > > > On Tue, Jun 19, 2012 at 11:39 AM, David Delbecq < > david.delbecq(a)meteo.be> > > > wrote: > > > > > > > > Hello, > > > > > > > > i am writing a component that need a password. Because this password > > > will be the same for current user as the one he used to log-in, it > would > > > make for crappy interface ot ask it again to user. So i need to know > how > > my > > > component or a groovy script can access the username / password of > > current > > > logged-in user. > > > > > > > > Thank you. > > > > > > > > > > > > David Delbecq > > > > > > > > _______________________________________________ > > > > devs mailing list > > > > devs(a)xwiki.org > > > > http://lists.xwiki.org/mailman/listinfo/devs > > > > > > > > > > > > -- > > > Jérôme Velociter > > > Winesquare > > > http://www.winesquare.net/ > > > _______________________________________________ > > > devs mailing list > > > devs(a)xwiki.org > > > http://lists.xwiki.org/mailman/listinfo/devs > > > > > > _______________________________________________ > > > devs mailing list > > > devs(a)xwiki.org > > > http://lists.xwiki.org/mailman/listinfo/devs > > > > > _______________________________________________ > > devs mailing list > > devs(a)xwiki.org > > http://lists.xwiki.org/mailman/listinfo/devs > > _______________________________________________ > > devs mailing list > > devs(a)xwiki.org > > http://lists.xwiki.org/mailman/listinfo/devs > > > > > > -- > Jérôme Velociter > Winesquare > http://www.winesquare.net/ > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs > > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs > -- Jérôme Velociter Winesquare http://www.winesquare.net/ _______________________________________________ devs mailing list devs(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/devs

12 years, 7 months

[xwiki-devs] [ANN] XWiki Enterprise and XWiki Enterprise Manager 4.0.1 released

by Thomas Mortagne

The XWiki development team is pleased to announce the release of XWiki Enterprise and XWiki Enterprise Manager 4.0.1. Go grab it at http://www.xwiki.org/xwiki/bin/view/Main/Download This is a bugfix release for the 4.0 cycle. For more information see the Release notes at: http://www.xwiki.org/xwiki/bin/view/Main/ReleaseNotesXWikiEnterprise401 Thanks -The XWiki dev team

12 years, 7 months

[xwiki-devs] 转发: Chinese garbled problem in office-import

by idealhang

2012-06-20 idealhang 发件人：idealhang 发送时间：2012-06-19 17:55 主题：Chinese garbled problem in office-import 收件人："devs"<devs(a)xwiki.org> 抄送： HI I am using the latest xwiki and I need to use its office-import feature. Hower,I upload some chinese word and excel documents,the problem of chinese garbled comes out. The chinese titles are OK. but the chinese content is garbled . I install the xwiki-enterprise-installer-windows-4.1-rc-1.exe on the cn_windows_server_2008_r2_sp1_vl_build_x64_dvd_617396,and my openoffice is Apache_OpenOffice_incubating_3.4.0_Win_x86_install_zh-CN.exe. What should I do to solve the problem，I need your help. Thank you very much. 2012-06-19 idealhang

12 years, 7 months

Re: [xwiki-devs] [GSoC] Responsive Skin

by Jonathan Solichin

Hello friends, Caty, thanks for bringing up those points. My only concert is that the functionality is spread in multiple places. I was thinking of that as well just as i hit send. The export section should definitely be part of the page interest area to consolidate (should have moved that). Originally, I put the page functions under the section navigation (main, comments, attachments etc.) because I wanted to put it under the main section (and thus spliced in between the quicklinks and logo/search (global stuff)) since I thought that its presence is not needed 100% of the time. But now that I think about it, maybe it should be there 100% of the time because of the table of contents. What do you (guys) think? Also you now separated the menus in three parts: upper part, edit menu, > view menu. That's true. The original thought was that the edit (for page) should be on the page since it is a prominent action attached to the content. But maybe, since the meta data/view of the page is being consolidated on the right, I will move it there also. I am thinking that I will put the view/page edit into a subsection of the lighter page area (date modified/created etc.) in the sidebar since they are both current user actions. As for the upper part, I understand what you mean that it'd be nice to know what actions can be done, but I think it's ok that it's on top separated since they are not necessarily page specific action right? they act more on a global level? To resolve this, how about adding a pencil icon to these three things that allow for user action (or maybe even just a color change to differentiate actionable section). What do you think? Another thing is the breadcrumb: what is the difference between 'Page: > Platform Features' and 'Page Editing' ? Where am I now? What is the page's > title? 'Platform Features' of 'Page Editing'? i apologize, that breadcrumb is a bit erronous as a result of mishmashed samples. It should read: wiki: XWIKI Platform >> space: Features >> page: Page Editing. The page title, instead of "Wiki Home," should have been "Page Editing". Also for the mobile version you didn't clearly represented the difference > between the collapse/expanded states of gadgets like 'Welcome' and 'Spaces' > (they can be mistaken with headings). good call, i will add a + - to signify them. As for progress report. It unfortunate for me to have to say that this is harder/taking more time than expected. I am struggling at the moment to create the most efficient way to realize the design. A lot of the fluidity/interaction that I had hoped for seems to require a lot more codes than anticipated--that is: the use of javascript instead of native css/html. Even then there are a lot of conflicting codes that needs to be brought together. The complexity is sort of evident in research. Briefly you can check out fb/g+'s implementation. Facebook's approach utilizes a lot of js, and seems to falter when it is disabled (something i'm really worried about). It rewrites the page often (classes etc.) and writes css inline and so forth. G+ uses an even more interesting approach of using iFrames. It is true that this sidebar should not be as complicated as the ones that I am researching from, but as a result of the complexity of existing sidebars that I wish for our sidebar to be similar to (and thus super hard to reverse engineer and understand), and the relative shortage on this topic, I am having to research/experiment more than I expected. In any regards it is all very exciting, and I am getting to learn more than I expected on this project. This is the prototype that I am currently working on (def some bugs): http://jssolichin.com/xwiki/ There are bugs, but I really wanted to share what I had so far. Some of the things to test that I have been working on is the resizing of the side bar, the scrolling, resizing the browser and so forth. I know it is quite simple, but trying to figure out the correct method was/is a challenge. It's still a long ways to go, but I hope that things will get a lot faster since one of the core features/points of this skin is this sidebar. I know that it is not in the code styles of xwiki/implemented into xwiki yet, I think I might need to change the timeline with this development, to make room for this. Right now I'm trying to focus on quick dev, to see what's possible, and what will need a lot more work. On another side note, I am also still having trouble building xwiki from sources (the other half of my time). Just quickly, what environment are you guys using (in terms of OS/java)? I tried ubuntu, and now mint linux, but am still having some trouble with maven from terminal (following the guide on sona system) (i am able to build with eclipse, but I am not sure how to run it with jetty/hsqldb so I can access it on my browser?) Also, are you guys using oracle or openjdk? Thanks for all the support and help thus far, Jonathan Solichin

12 years, 7 months

[xwiki-devs] [VOTE] Add extension id in the MANIFEST.MF in WAR distributions

by Thomas Mortagne

Hi devs, Since I got some veto on http://markmail.org/message/feavtmfokcsaalpo lets cut all that in small peaces. The today's episode is about finding what is the war we are running it at runtime to list it in the core extensions (among other things it allows to check for available updates). Like the JAR packages, a WAR contains pom.xml file, problem is that this pom.xml file is not in a "stable" location (META-INF/<groupId>/<artifactId>/pom.xml) and I can't find any generic way to scan a WAR like Reflection allows to scan jars files from the classpath. So as a last resort solution I propose to include the extension identifier in the METAINF.MF at build time. This will give me the entry point I need to find the pom.xml and gather more detailed informations about the war to put it as core extension. WDYT ? +1 -- Thomas Mortagne

12 years, 7 months

[xwiki-devs] DB Migration systems uses System.exit! Remove it

by Vincent Massol

Hi devs, I see that Denis has added the following: if ("1".equals(config.getProperty("xwiki.store.migration.exitAfterEnd", "0"))) { logger.error("Exiting because xwiki.store.migration.exitAfterEnd is set"); System.exit(0); This is really bad IMO since System.exit should never be used in JavaEE/Servlet apps. See also http://nemo.sonarsource.org/drilldown/violations/XWIKI?rids%5B%5D=367322&ru… One problem for example is that this will stop the full Servlet JVM so if XWiki runs in a Servlet container running several other webapps suddenly the whole Servlet container will go down! What should be done instead is to remove this "feature" which has no real meaning in a Servlet environment. I'm thus proposing to deprecate this feature. I don't even understand what use cases it brings. WDYT? Thanks -Vincent

12 years, 7 months

Re: [xwiki-devs] Access password of current user

by David Delbecq

Hello, I was hoping that somehow, when submitted via the form, password gets recorded until the end of the session. We can't afford, for the sake of user experience, to ask password every time user need to access a hidden system he is not even supposed to know is separate from the wiki. That's why we are writing some macro / components so that it's xwiki that access those system for him. This include various webservices, a documents storage and so on. We try to keep a single sign on policy. Of course, i don't want user password stored anywhere on disks, but keeping it in user session seems a good trade-of for me. I plan thus to create my onw xwikiauthservice that delegates to ldap service and store this in user session. ----- Mail original ----- De: "Jerome Velociter" <jerome(a)winesquare.net> À: "XWiki Developers" <devs(a)xwiki.org> Envoyé: Mardi 19 Juin 2012 11:53:42 Objet: Re: [xwiki-devs] Access password of current user Hi, Fortunately, you can't. You can only access/verify a hashed version of the password. Note that asking for a password again is not necessarily a bad UX, especially if it is to allow access to a sensitive area/operation. Cheers, Jerome. On Tue, Jun 19, 2012 at 11:39 AM, David Delbecq <david.delbecq(a)meteo.be> wrote: > > Hello, > > i am writing a component that need a password. Because this password will be the same for current user as the one he used to log-in, it would make for crappy interface ot ask it again to user. So i need to know how my component or a groovy script can access the username / password of current logged-in user. > > Thank you. > > > David Delbecq > > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs -- Jérôme Velociter Winesquare http://www.winesquare.net/ _______________________________________________ devs mailing list devs(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/devs

12 years, 7 months

[xwiki-devs] glancing through the optimization process

by Paul Libbrecht

Hello XWiki community, we are about to deploy our XWiki 3.5.1(+ a bit) on www.curriki.org and... well... we need to be sure the data migration is going to happen so we are trying this on our staging server. The first failure happened: after more than one day, the process finally ended complaining about a disk full (it was 90% full, only with OS and DB). The process became very slow with update queries that took longer and longer to update. Ok, first lesson learned, I should plan with an amount of free disk space. (for the record: our XWiki has 300'000 documents, 250'000 being users, the rest being learning resources, groups' activities or application files. Our production servers (one db, one apache, one xwiki, is made of Sun Fire X4600 Intel) while our staging servers (same) is made of Sun Fire T 2000 Sparc (slow but robust!)). But I'd like to plan better so that we get a downtime below 3h hopefully. Caleb was kind enough to indicate me https://github.com/xwiki/xwiki-platform/tree/master/xwiki-platform-core/xwi… as the place where most of the refactorings are made. However, I could not find: * where "create index" queries are run: we could run them before the system goes down (the one on xwikiattrecyclebin took more than an hour) * which query we could zap (where it locked was actually at the following SQL query: SELECT DISTINCT x3.xwd_id FROM xwikidoc x3 LEFT JOIN xwikiobjects x4 ON x3.xwd_fullname = x4.xwo_name WHERE x3.xwd_date >= '2012-06-18 20:30:05' AND (x3.xwd_web = 'XWiki' OR x3.xwd_web LIKE 'Coll_%') AND x3.xwd_name NOT IN ('WebHome', 'Favorites') AND x4.xwo_classname IN ('XWiki.XWikiUsers', 'CurrikiCode.AssetClass') ORDER BY x3.xwd_date asc LIMIT 250 * what is the sequence and how I could monitor the progress? (what is the "name" of the logger member of R40000XWIKI6990DataMigration.java for example? (being injected, I can have no clue reading the source. thanks in advance Paul

12 years, 7 months

[xwiki-devs] Apply the sheet specified on the request only to the requested document

by Marius Dumitru Florea

Hi devs, I opened http://jira.xwiki.org/browse/XWIKI-7942 (thanks to Anca). I'd like to change the behaviour of the SheetManager to return the sheet specified on the request only if the passed document is the requested document. This was my initial intention when I introduced the parameter but I overlooked the fact that it will be used 'recursively' for all included/displayed documents within a sheet. I don't see any real use case for the current behaviour so I'm considering it a bug. If someone is relying on this behaviour or sees a use case for it then please speak. Thanks, Marius

12 years, 7 months

[xwiki-devs] Access password of current user

by David Delbecq

Hello, i am writing a component that need a password. Because this password will be the same for current user as the one he used to log-in, it would make for crappy interface ot ask it again to user. So i need to know how my component or a groovy script can access the username / password of current logged-in user. Thank you. David Delbecq

12 years, 7 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

xwiki-devs