what about a more generic version of the prior question:

Assuming one already has an apache (httpd) based site using "HTTP Basic Authorization"
feature in apache, what is the technique for allowing already authenticated users to use that same authentication in Xwiki? This assumes some means of mapping the basic auth name to the xwiki user name, which is trivial.

In other words you could use something like mod_auth_mysql to alllow password-based access to restricted portions of a website (or entire thing if .htaccess at toplevel) via apache. More security or extranet access can be granted via mod_ssl combined with client certificates & "fake basic authentication":

FakeBasicAuth
When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -incertificate.crt). Note that no password is obtained from the user. Every entry in the user file needs this password: ``xxj31ZMTZzkVA'', which is the DES-encrypted version of the word `password''. Those who live under MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''.

in other words you have an external table mapping the client-certificate's DN, which can be an elaborate string like
"/O=ufl.edu/OU=Employees/C=US/O=University of Florida/CN=ANDREW MEYER/Email=dontasemebro@ufl.edu|"
and this would provide authentication for user 'Xwiki.AndrewMeyer' and grant that user access based on the associated xwiki account.

With the advent of https://www.myopenid.com the latter client-certificate, SSL-based authentication ought to be considered as a nice "universal login identity".... IMHO it provides a consistent way of handling identity across a wide variety of sites.

In the past i've setup http://ipssources.com which uses 2-factor auth via HP "Digital Badge" -- similar can be achieved, much more easily, and cheaply, via MyOpenID. Their system is indeed like HP's "digital badge" except that it's free and works across multiple websites.

MyOpenID has potential of being a useful service if it catches on.... When i used it, it smoothly sent me a client-cert
and appears to provide a decent API for management:

You have the following certificates:
Label Serial Number Created Revoked
gnuvelle BF1E 2008-02-11 16:32:29.195635 Revoke this Certificate

Thus making the potentially-difficult task of issuing and installing client certificates in the user's browser a no-brainer (at least in firefox). If they've correctly handled the MS/vs-the-world issues so that IE and Netscape and mac users can
access the web as ubiquitously as advertised, they've won most of the "client auth" battle IMHO....

-- Niels
http://nielsmayer.com

On Sat, Mar 15, 2008 at 8:47 PM, Glenn Everitt <Glenn.Everitt@compuware.com> wrote:

Thanks for the advice on changing the global.vm, sadly the authentication is
proprietary and wouldn't help anyone else. Thanks again. - Glenn Everitt

Ludovic Dubost-2 wrote:
>
>
> Hi,
>
> There is no change the XWiki logout page is going to have any effect
> when you are using Apache level auth.
> Best is just to change the global.vm and link to your logout page with
> the xredirect param and have your logout page redirect to that url in
> the xredirect param.
>
> What type of authentication are you using in your server ? If it's a
> non-proprietary one, it might be nice to document your config on
> xwiki.org.
>
> Ludovic
>
> Glenn Everitt wrote:
>> I am using Apache level authentication and the
>> AppServerTrustedAuthServiceImpl using getRemoteUser to get into XWiki and
>> I
>> have this working. I need to call something like a logout.jsp to
>> invalidate
>> the session and cleanup. I thought I should use the
>> xwiki.authentication.logoutpage=/[^/]+/logout/*
>> in xwiki.cfg. I can't tell what this is doing and whether it is related
>> to
>> ...
>>
>> The velocity template global.vm seems to generate the logout link on the
>> main menu.
>> #set($logouturl = $xwiki.getURL("XWiki.XWikiLogout","logout",
>> "xredirect=$util.encodeURI($logredir)"))
>> $!logouturl $!msg.get("logout") #sep()
>>
>> Any clues on how to handle logout would be greatly appreciated.
>>
>> Thanks
>> Glenn Everitt
>>
>>
>
>
> --
> Ludovic Dubost
> Blog: http://blog.ludovic.org/
> XWiki: http://www.xwiki.com
> Skype: ldubost GTalk: ldubost
>
> _______________________________________________
> devs mailing list
> devs@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/devs
>
>

--
View this message in context: http://www.nabble.com/logout-tp16040945p16075537.html

Sent from the XWiki- Dev mailing list archive at Nabble.com.

_______________________________________________

devs mailing list
devs@xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs