 |
Show Changes |
|
Edit |
|
|
|
Recent Changes |
|
Subscriptions |
|
Lost and Found |
|
Find References |
|
Rename |
|
Administration Page |
| Search |
History
| 2/11/2008 2:19:16 PM |
| -66.78.112.75 |
| 2/11/2008 2:17:33 PM |
| 203.144.144.164 |
| 2/11/2008 10:23:10 AM |
| -66.78.112.75 |
| 2/11/2008 9:34:13 AM |
| 196.201.151.6 |
| 2/11/2008 5:54:55 AM |
| -66.78.112.75 |
|
List all versions |
When running on a web server, FlexWiki can be configured to support various authentication mechanisms to identify visitors. FlexWiki was originally built to use Windows authentication, but it's recently been updated to support None authentication. Other IIS authentication modes will probably work but haven't been tried yet.
NOTE: - Build 1.8.0.1696 does not support Forms authentication. When viewing the source code for the login.aspx.cs, I noticed that the onclick event handler has no code. Forms authentication does seem to be present in build 1.8.0.1677, however. See comments below...
If you are running in a Windows network environment, you should configure your federation to use Windows authentication for visitors. To do this, you need to add two things to your web.config file.
First, declare that you wish the system to use Windows authentication. Second, indicate that requests should be authenticated. Third, tell IIS to impersonate the authenticated user:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
<identity impersonate="true"/>
See AccessControl for more information on setting IIS up for windows authentication.
If you don't want to use any authentication method, you should declare this in your web.config file.
<configuration>
<system.web>
<authentication mode="None" />
NOTE: - Build 1.8.0.1696 does not support Forms authentication. When viewing the source code for the login.aspx.cs, I noticed that the onclick event handler has no code. Forms authentication is present in build 1.8.0.1677, however. The support for forms authentication was accidentally removed in 1.8.0.1677, and was re-added in 1.8.0.1730 (an interim build).
If you want to use Forms authentication method, you should declare this in your web.config file. This will secure the entire wiki site. FlexWiki currently uses the web.config to contain the user credentials. Only Clear password format is supported currently.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="Login.aspx">
<credentials passwordFormat="Clear">
<user name="bill@cox.net" password="password"></user>
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" /> <!-- Deny all anonymous users -->
</authorization>
Set the Security configuration key in the web.config as follows:
<!-- Security - Used for Forms and Namespace Security
Specify the type of security to use. Currently the only option is webconfig which indicates to
FlexWiki that the user crudentials are kept in the webconfig.
-->
<add key="Security" value="webconfig" />
(Note: This goes in the <appSettings> block.)
The above section on Forms Authentication, as mentioned, locks down the entire site. You can, however, modify your web.config to unlock specific functionality (pages) by specifying additional locations, and associated authorization, for those locations. For example,
<configuration>
<system.web>
... all of your existing config stuff that applies to the entire site as documented above...
</system.web>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
In the sample above, we have given anonymous access (users="?") to the default.aspx page, thus allowing everyone to "see" the pages, however, when the user tries to edit (editwiki.aspx) the page, that location falls under the default settings defined earlier and are challenged to login.
Extending this simple example, you can add multiple <location> entries to authorize anonymous access to other functionality, such as printing (print.aspx) etc.
It is also possible to modify entire directories by changing the location's path attribute (example, <location path="admin"/>
, but my ISP does not allow simple access to change the IIS settings for virtual directories so I tend to stay away from this...
One last note, now the the entire site is locked down by default and some pages (default.aspx etc) are accessible by anonymous users, we can use some simple WikiTalk to modify the menu items that are listed on the left hand border. By modifying _NormalBorders (on your own site) and wrapping the menu items with
request.IsAuthenticated.IfTrue
{[
MenuItem("Show disconnected topics", "Lost and Found", federation.LinkMaker.LinkToLostAndFound(aTopic.Namespace.Name)),
MenuItem("Find references to this topic", "Find References", federation.LinkMaker.LinkToSearchFor(null, aTopic.Name)),
MenuItem("Rename this topic", "Rename", federation.LinkMaker.LinkToRename(aTopic.Fullname)),
]}
IfFalse
{
""
}
you can selectively hide some functionality from users that have no business playing with certain features.
-- Jeff McMahon (Oct 15, 2004)
Not available yet but is in the works. See FlexWikiSecurityProject for details.
If you are having problems with authentication just think of HappyThoughts.
Q: Seems like it is possible to limit edits to registered users using settings in web.config, inside tags <location path="default.aspx"> ... But this is not applicable for the button "Restore Version", because it uses default.aspx, which must be accessible to unregistered users too. I suggest changing POST target for that button for separate file. Or is there some way I could limit "Restoring Versions" using config file only, and without locking down entire site? 1. nov 2006.
Q: I found how to require users to log in using Forms, in order to edit pages, but how do they register at first place? There seems to be no such page/functionality? If it actually exists, What is its name (URL)? 1. nov 2006.
Q: Is there a way of giving different access rights to different users? (Non-authenticated users should have no access, some of the authenticated users read-only access, some of the authenticated users full access)
Tobias Sendel, Apr 27, 2005
Q: Is there a simple way to set the entire wiki read-only for unauthenticated users.
-- Richard Morris --- Dec 16, 2004.
A: See above: Unlocking specific parts ... Tobias Sendel, Apr 27, 2005
Q: I am having a hard time getting the HomePage running. Got everything installed and admin and namespace with editing function are running (Windows Authentication). Wanting to display to then start editing the HomePage I get http 403 error. Mikal Grimm (bullet) - 2004Nov08
A: I had the same problem until I added 'default.aspx' to the default documents list in the Virtual Directory Properties dialog of IIS. --Parker Whittle, May 28, 2005
Q: I want some pages to be viewed by anonymous user and some don't. What shld i do?
i tried it once by setting form based security. but it restricts all the pages to view.
Mandar
A: See the new section above on Unlocking specific paths in your site...
-- Jeff McMahon -- Oct 15, 2004.
A: I had the same problem until I granted write access to WikiBases to IUSR_<MACHINE NAME> and NETWORK SERVICE (or ASPNET if ! Windows Server 2003)
cbilson
Q: We added forms athentication. Logon page shows up, logging in takes us to default page, but when i try to edit i get error on page, object not found
or object required or something similar. I'm kinda stuck. I even tried thinking happy thoughts. Any help? Thanks -- ToddSturgeon, 2004-10-28
I launched a debugger and traced the offending line to a javascript function called setusername() in wikiedit.aspx. When I comment out the only line of code in that function,
//document.all("usersuppliername").value = document.all("usernameentryfield").value
then voila, edit seems to work. Normally, I wouldnt comment out a line without knowing what it does, but since I'm messin' with this Wiki thing.... Anyway, my guess is that since I have Forms authentication, it auto fills in the user name box and replaces it with a label showing the name you logged in as. Maybe since it know who you are it wont let you edit your user name, so it hides the textbox, and so that object is no longer available...................
Thoughts/comments appreciated. -- ToddSturgeon, 2004-10-28
Q: Are there plans to add db-based authentication? For instance, will it be possible to tell FlexWiki to use a certain DSN to connect to a database where we expect to find a Users table with username and passwords? -- Olorin
A: There may be plans, but the current rewrite will no doubt take some time. In the meantime, I have created some SQL based providers for the current security framework. Works on 1.8.0.1677, but not on 1696, if only because of the Login page issue noted below, and other code that has been removed in a clean-up. Drop me a mail for code if you want. DarrenSQLIS
'''NOTE: - Build 1.8.0.1696 does not support authentication. When viewing the source code for the login.aspx.cs, I noticed that the onclick event handler has no code (see source code snippet below):
private void logonButton_Click(object sender, System.EventArgs e)
{
}
Q: Will the login support be re-added? It is present in 1.8.0.1677, but appears to have been "removed" from build 1.8.0.1696. - DanGilleland
A: It was re-added in 1.8.0.1730.
NOTE: - If IIS is running on a Windows 2000 SP4 Domain Controller and configured to use the impersonation (Windows Authentication) you'll have the following error:
Access is denied.
Description: An unhandled exception occurred during the execution of the current web request.
Please review the stack trace for more information about the error and where it originated in
the code.
Exception Details: System.ApplicationException: Access is denied.
Source Error:
An unhandled exception was generated during the execution of the current web request.
Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[ApplicationException: Access is denied.
]
System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr userToken) +0
System.Security.Principal.WindowsIdentity.get_Name() +71
System.Web.Configuration.AuthorizationConfigRule.IsUserAllowed(IPrincipal user, String verb) +106
System.Web.Configuration.AuthorizationConfig.IsUserAllowed(IPrincipal user, String verb) +81
System.Web.Security.UrlAuthorizationModule.OnEnter(Object source, EventArgs eventArgs) +181
System.Web.SyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +60
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87
You can fix it following the next KB from Microsoft:
Q
I tried adding this to the web.config file in FlexWiki
<location path="WikiBases/MyWiki/WikiPage.wiki">
<system.web>
<authorization>
<deny roles="AGroup" />
</authorization>
</system.web>
</location>
I want to restrict AGroup from viewing the page with WikiPage as title but failed.
Anyone has any idea on how to restrict specific FlexWiki pages to any user or groups?
Thanks!!
go!
