Re: [xwiki-devs] Digest Authentication & XWiki

On Sun, Oct 26, 2008 at 9:11 AM, Asiri Rathnayake < asiri.rathnayake(a)gmail.com&gt; wrote: ... Which is why you can have an external "HTTPS-accessible shadow-login program" invoked once per DAV session, to change Xwiki's password to the MD5Password computed from the nonce/session-key. In my previous email I called this DAV login service "davlogin" (e.g. https://.../davlogin?user=foo&md5pass=0x0123456789ABCDEF ) Of course, this would have side-issues like making web-login to a user account in Xwiki difficult since the password would be set to the last session's Md5Password. I guess you could have another program "davlogout" to restore the normal Xwiki password. And another table in the db to store the regular password. Yes it's a hack. The next question is there a way to accomplish the exact same thing in code to achieve the same goal, but without the hack. For example, by adding a new special parameter to any DAV-originated request, to enable authentication based on a new MD5Password column in the database. The MD5Password would be used for authentication for any requests using the special-parameter (e.g. '?dav=true). Basically the same code used currently that looks up the regular password in Xwiki, should have a switch on if "?dav=true" to select lookup using the MD5Password column or the regular password column. (a pretty simple and trivial/scopable change). Also needed, an external way of setting the user-associated entry in the new MD5Password column to the password for the current DAV session. (akin to https://.../davlogin mentioned above). This new MD5Password db column represents the MD5Passwords for all active DAV sessions on a given wiki, while the rest of xwiki continues to work the same with the old password mechanism, as long as you don't give the new parameter ?dav=true. -- Niels http://nielsmayer.com