From mariusdumitru.florea@xwiki.com Wed Mar  2 14:14:19 2016
From: Marius Dumitru Florea <mariusdumitru.florea@xwiki.com>
To: xwiki-users@xwiki.org
Subject: Re: [xwiki-users] Creating a seperate login page in a space that is
 not blocked (ie XWiki)
Date: Wed, 02 Mar 2016 15:14:17 +0200
Message-ID:
 <CALZcbBZ_-bG-yYzi768ke+k7ktSMbAC5QxgXcFn2SqWZEF0nkA@mail.gmail.com>
In-Reply-To: <56BB22B6.5050804@biggee.nl>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4390428448267550813=="

--===============4390428448267550813==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Wed, Feb 10, 2016 at 1:44 PM, Jan-Paul Kleijn <email(a)biggee.nl> wrote:

> Hi,
> Thanks for helping. My precise problem is that it is not possible to load
> the page XWiki.XWikiLogin with the use of XMLHttpRequest in javascript. I
> have tested this when logged in and when not logged in.
>
> This is the example code (from W3Schools.com, a little bit compressed):
>
> {{velocity}}
> {{html}}
>
> <h2>Using the XMLHttpRequest object</h2>
> <button type="button" onclick="loadXMLDoc()">Change Content</button>
> <p id="demo"></p>
>
> <script>
> function loadXMLDoc() {
>   var xmlhttp;
>   if (window.XMLHttpRequest) xmlhttp = new XMLHttpRequest();
>   else xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
>   xmlhttp.onreadystatechange = function() {
>     if (xmlhttp.readyState == 4 && xmlhttp.status == 200)
> document.getElementById("demo").innerHTML = xmlhttp.responseText;
>   };
>   xmlhttp.open("GET",
> "$xwiki.getURL('XWiki.XWikiLogin','login')?xpage=plain", true);
>   xmlhttp.send();
> }
> </script>
>
> {{/html}}
> {{/velocity}}
>
> This results in a console logged javascript error report stating a "401:
> Unauthorized" error.
>
> I have tried it with another page in the XWiki space and that page /can/
> be requested via GET.
>


> So I suspect it is not the space but the page (XWiki.XWikiLogin) that
> cannot be fetched via a GET request in javascript.
>

Have you tried accessing the XWiki.XWikiLogin page in view mode? i.e.
/xwiki/bin/view/XWiki/XWikiLogin . If you do you'll see that it doesn't
event exist. The login UI is defined in a Velocity template, login.vm,
which is associated with the 'login' action (that you specify in the URL).


>
> Regards,
> Jan-Paul
>
>
> Op 10-2-2016 om 10:31 schreef Eduard Moraru:
>
> Hi,
>>
>> On Mon, Feb 1, 2016 at 12:36 PM, Jan-Paul Kleijn <email(a)biggee.nl> wrote:
>>
>> Hi there,
>>> The login page of XWiki is situated in the XWiki space. From this space
>>> it
>>> is not possible to load pages with a XMLHttpRequest in javascript.
>>>
>>
>> Please be more precise on your original problem. What have you tried and
>> what has failed?
>>
>> The only particularity about the XWiki space is that it has a space-level
>> edit right restriction, allowing only XWikiAdminGroup to edit, but that`s
>> about it so I`m not sure you need to go through the trouble of creating a
>> new login page.
>>
>> Thanks,
>> Eduard
>>
>>
>> I want to work around this by creating a seperate login page with exactly
>>> the same content as the current XWiki login page.
>>> I would like to know if this will pose a security risk or not. I do not
>>> understand why it should but I am asking you to make sure I am not
>>> forgetting anything.
>>>
>>> If you like I can share the procedure with you because I think it can be
>>> an improvement over the current situation.
>>>
>>> Kind regards,
>>> Jan-Paul Kleijn
>>> _______________________________________________
>>> users mailing list
>>> users(a)xwiki.org
>>> http://lists.xwiki.org/mailman/listinfo/users
>>>
>>> _______________________________________________
>> users mailing list
>> users(a)xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/users
>>
>
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
>

--===============4390428448267550813==--