From email@biggee.nl Mon Feb  1 11:36:56 2016
From: Jan-Paul Kleijn <email@biggee.nl>
To: xwiki-users@xwiki.org
Subject: [xwiki-users] Creating a seperate login page in a space that is not
 blocked (ie XWiki)
Date: Mon, 01 Feb 2016 11:36:52 +0100
Message-ID: <56AF3544.4000800@biggee.nl>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4045203418917219132=="

--===============4045203418917219132==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi there,
The login page of XWiki is situated in the XWiki space. From this space 
it is not possible to load pages with a XMLHttpRequest in javascript. I 
want to work around this by creating a seperate login page with exactly 
the same content as the current XWiki login page.
I would like to know if this will pose a security risk or not. I do not 
understand why it should but I am asking you to make sure I am not 
forgetting anything.

If you like I can share the procedure with you because I think it can be 
an improvement over the current situation.

Kind regards,
Jan-Paul Kleijn

--===============4045203418917219132==--


From enygma2002@gmail.com Wed Feb 10 10:32:15 2016
From: Eduard Moraru <enygma2002@gmail.com>
To: xwiki-users@xwiki.org
Subject: Re: [xwiki-users] Creating a seperate login page in a space that is
 not blocked (ie XWiki)
Date: Wed, 10 Feb 2016 11:31:54 +0200
Message-ID:
 <CADGDyYKUteQtcYEkErxBivJz32KTzR0Rb-zWD=J0rpUkFkyqJQ@mail.gmail.com>
In-Reply-To: <56AF3544.4000800@biggee.nl>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2193973436905399585=="

--===============2193973436905399585==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi,

On Mon, Feb 1, 2016 at 12:36 PM, Jan-Paul Kleijn <email(a)biggee.nl> wrote:

> Hi there,
> The login page of XWiki is situated in the XWiki space. From this space it
> is not possible to load pages with a XMLHttpRequest in javascript.


Please be more precise on your original problem. What have you tried and
what has failed?

The only particularity about the XWiki space is that it has a space-level
edit right restriction, allowing only XWikiAdminGroup to edit, but that`s
about it so I`m not sure you need to go through the trouble of creating a
new login page.

Thanks,
Eduard


> I want to work around this by creating a seperate login page with exactly
> the same content as the current XWiki login page.
> I would like to know if this will pose a security risk or not. I do not
> understand why it should but I am asking you to make sure I am not
> forgetting anything.
>
> If you like I can share the procedure with you because I think it can be
> an improvement over the current situation.
>
> Kind regards,
> Jan-Paul Kleijn
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
>

--===============2193973436905399585==--


From email@biggee.nl Wed Feb 10 12:44:56 2016
From: Jan-Paul Kleijn <email@biggee.nl>
To: xwiki-users@xwiki.org
Subject: Re: [xwiki-users] Creating a seperate login page in a space that is
 not blocked (ie XWiki)
Date: Wed, 10 Feb 2016 12:44:54 +0100
Message-ID: <56BB22B6.5050804@biggee.nl>
In-Reply-To:
 <CADGDyYKUteQtcYEkErxBivJz32KTzR0Rb-zWD=J0rpUkFkyqJQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4678829089038916242=="

--===============4678829089038916242==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi,
Thanks for helping. My precise problem is that it is not possible to 
load the page XWiki.XWikiLogin with the use of XMLHttpRequest in 
javascript. I have tested this when logged in and when not logged in.

This is the example code (from W3Schools.com, a little bit compressed):

{{velocity}}
{{html}}

<h2>Using the XMLHttpRequest object</h2>
<button type="button" onclick="loadXMLDoc()">Change Content</button>
<p id="demo"></p>

<script>
function loadXMLDoc() {
   var xmlhttp;
   if (window.XMLHttpRequest) xmlhttp = new XMLHttpRequest();
   else xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
   xmlhttp.onreadystatechange = function() {
     if (xmlhttp.readyState == 4 && xmlhttp.status == 200) 
document.getElementById("demo").innerHTML = xmlhttp.responseText;
   };
   xmlhttp.open("GET", 
"$xwiki.getURL('XWiki.XWikiLogin','login')?xpage=plain", true);
   xmlhttp.send();
}
</script>

{{/html}}
{{/velocity}}

This results in a console logged javascript error report stating a "401: 
Unauthorized" error.

I have tried it with another page in the XWiki space and that page /can/ 
be requested via GET.
So I suspect it is not the space but the page (XWiki.XWikiLogin) that 
cannot be fetched via a GET request in javascript.

Regards,
Jan-Paul


Op 10-2-2016 om 10:31 schreef Eduard Moraru:
> Hi,
>
> On Mon, Feb 1, 2016 at 12:36 PM, Jan-Paul Kleijn <email(a)biggee.nl> wrote:
>
>> Hi there,
>> The login page of XWiki is situated in the XWiki space. From this space it
>> is not possible to load pages with a XMLHttpRequest in javascript.
>
> Please be more precise on your original problem. What have you tried and
> what has failed?
>
> The only particularity about the XWiki space is that it has a space-level
> edit right restriction, allowing only XWikiAdminGroup to edit, but that`s
> about it so I`m not sure you need to go through the trouble of creating a
> new login page.
>
> Thanks,
> Eduard
>
>
>> I want to work around this by creating a seperate login page with exactly
>> the same content as the current XWiki login page.
>> I would like to know if this will pose a security risk or not. I do not
>> understand why it should but I am asking you to make sure I am not
>> forgetting anything.
>>
>> If you like I can share the procedure with you because I think it can be
>> an improvement over the current situation.
>>
>> Kind regards,
>> Jan-Paul Kleijn
>> _______________________________________________
>> users mailing list
>> users(a)xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/users
>>
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users


--===============4678829089038916242==--


From mariusdumitru.florea@xwiki.com Wed Mar  2 14:14:19 2016
From: Marius Dumitru Florea <mariusdumitru.florea@xwiki.com>
To: xwiki-users@xwiki.org
Subject: Re: [xwiki-users] Creating a seperate login page in a space that is
 not blocked (ie XWiki)
Date: Wed, 02 Mar 2016 15:14:17 +0200
Message-ID:
 <CALZcbBZ_-bG-yYzi768ke+k7ktSMbAC5QxgXcFn2SqWZEF0nkA@mail.gmail.com>
In-Reply-To: <56BB22B6.5050804@biggee.nl>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4726221753985012584=="

--===============4726221753985012584==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Wed, Feb 10, 2016 at 1:44 PM, Jan-Paul Kleijn <email(a)biggee.nl> wrote:

> Hi,
> Thanks for helping. My precise problem is that it is not possible to load
> the page XWiki.XWikiLogin with the use of XMLHttpRequest in javascript. I
> have tested this when logged in and when not logged in.
>
> This is the example code (from W3Schools.com, a little bit compressed):
>
> {{velocity}}
> {{html}}
>
> <h2>Using the XMLHttpRequest object</h2>
> <button type="button" onclick="loadXMLDoc()">Change Content</button>
> <p id="demo"></p>
>
> <script>
> function loadXMLDoc() {
>   var xmlhttp;
>   if (window.XMLHttpRequest) xmlhttp = new XMLHttpRequest();
>   else xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
>   xmlhttp.onreadystatechange = function() {
>     if (xmlhttp.readyState == 4 && xmlhttp.status == 200)
> document.getElementById("demo").innerHTML = xmlhttp.responseText;
>   };
>   xmlhttp.open("GET",
> "$xwiki.getURL('XWiki.XWikiLogin','login')?xpage=plain", true);
>   xmlhttp.send();
> }
> </script>
>
> {{/html}}
> {{/velocity}}
>
> This results in a console logged javascript error report stating a "401:
> Unauthorized" error.
>
> I have tried it with another page in the XWiki space and that page /can/
> be requested via GET.
>


> So I suspect it is not the space but the page (XWiki.XWikiLogin) that
> cannot be fetched via a GET request in javascript.
>

Have you tried accessing the XWiki.XWikiLogin page in view mode? i.e.
/xwiki/bin/view/XWiki/XWikiLogin . If you do you'll see that it doesn't
event exist. The login UI is defined in a Velocity template, login.vm,
which is associated with the 'login' action (that you specify in the URL).


>
> Regards,
> Jan-Paul
>
>
> Op 10-2-2016 om 10:31 schreef Eduard Moraru:
>
> Hi,
>>
>> On Mon, Feb 1, 2016 at 12:36 PM, Jan-Paul Kleijn <email(a)biggee.nl> wrote:
>>
>> Hi there,
>>> The login page of XWiki is situated in the XWiki space. From this space
>>> it
>>> is not possible to load pages with a XMLHttpRequest in javascript.
>>>
>>
>> Please be more precise on your original problem. What have you tried and
>> what has failed?
>>
>> The only particularity about the XWiki space is that it has a space-level
>> edit right restriction, allowing only XWikiAdminGroup to edit, but that`s
>> about it so I`m not sure you need to go through the trouble of creating a
>> new login page.
>>
>> Thanks,
>> Eduard
>>
>>
>> I want to work around this by creating a seperate login page with exactly
>>> the same content as the current XWiki login page.
>>> I would like to know if this will pose a security risk or not. I do not
>>> understand why it should but I am asking you to make sure I am not
>>> forgetting anything.
>>>
>>> If you like I can share the procedure with you because I think it can be
>>> an improvement over the current situation.
>>>
>>> Kind regards,
>>> Jan-Paul Kleijn
>>> _______________________________________________
>>> users mailing list
>>> users(a)xwiki.org
>>> http://lists.xwiki.org/mailman/listinfo/users
>>>
>>> _______________________________________________
>> users mailing list
>> users(a)xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/users
>>
>
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
>

--===============4726221753985012584==--