On Mon, Nov 10, 2008 at 4:20 AM, eggenheimer <james.potter(a)gmail.com> wrote:
Yes I guess sessions would probably be the best way to
distinguish between
different computers in this case. I don't know much java or the way xwiki is
structured - can anyone point me in the right direction?
And now, for something completely different...
For reasons of security/configuration/etc, I typically "front" Java-based
web-apps with apache, and then redirect to Java via mod_proxy_ajp w/
"ProxyPass /xwiki/ ajp://127.0.0.1:8009/xwiki/"
Given such a configuration, I would consider looking into an external
apache authentication and access control module that can provide you with
the necessary limitations. One possibility is to use an external login
mechanism in apache which generates a random number ID via cookie; for any
subsequent accesses to the "protected access" URL, that ID/cookie which must
be present before
redirecting to xwiki via mod_proxy_ajp. This per-user cookie ID would be
cleared if the given user logs out (via associated external login
mechanism), and no other logins would be allowed until the
'latest-login-cookie' was cleared. Only incoming requests presenting the
specific cookie/ID associated with the user will be passed on to
mod_proxy_ajp and in-turn, java and Xwiki.
http://www.frogdot.org/mod_auth_mda/ is a good module to accomplish such
tasks:
-- <http://www.frogdot.org/logintools/pab/scheme1.gif>
This approach wouldn't care about IP address per-se. The user could start
the transaction on a laptop plugged in to one network, disconnect, and
continue on a different one. On the other hand, if the user walked over to a
different computer, and didn't logout his last session, he couldn't log back
in w/o either going back to his old computer and logging out, or requesting
an administrator override.
Niels
http://nielsmayer.com