Menu
▾
▴
phpwiki-talk
|
From: Reini U. <ru...@x-...> - 2004-01-22 02:35:39
|
Hi
I'm just finishing the new wikiuser authcode and came to this question:
In the current code the authentification methods are "stacked", that
means, that the methods are searched in a predefined search order
(e.g. Anon or Bogo or HomePage password => ldap => imap => http_auth).
The first method which returns true is taken. False is only returned if
all defined methods will fail.
With my new code we allow even more auth methods:
internal db, external db, file
Now how should the admin configure his authentification:
1) Should he be able to define the search order?
2) Should he be able to define stacked (policy c) or strict (policy b)
or pre-defined method order (policy a)?
The problem is that the user may exist with the current method but the
password is wrong, which brings him to the next method. This might not
be wished for certain auth methods were the username and password must
match and no other methods may be tried if the username exists in the
databse but with the wrong password. For example the database password
is wrong, but a file password matches is ok.
Currently the order of first three methods is fixed:
Anon if defined, Bogo if defined, User if defined.
Those three methods are stacked.
With the new methods in the new auth classes (called if
ALLOW_USER_PASSWORDS is defined and the previous methods failed) one
could define policy c: a stacked scheme ("try next method if it fails"),
or policy b: a stricter scheme ("check user and if she exists the
password, on failure try no other methods").
To make thing even more complicate my current code makes use of only one
pre-defined external auth method (policy a), which simply upgrades the
user class in the constructor, and not in the checkUser() or
UserExists() methods.
How to define the auth policies in index.php?
One could easily define a new config variable like
define('FAIL_ON_WRONG_PASSWORD',true);
which defines the strict scheme, and if not defined
the stacked scheme will be used.
The simple problem is that then we will have to define one more method
for all user classes:
$user->UserExists():
Currently we need only ->checkPass() and optionally ->storePass().
The code for a simple predefined scheme, (not-stacked) scheme is now
ready, were only one auth method is predefined, for all users.
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
|
|
From: Tony L. <la...@is...> - 2004-01-22 03:02:39
|
Spotted what seems to be a very strange bug. Confirmed that Russian small letters "Ye" and "l", input together (Ye + l) makes the system generate <u></u> on either side. I was able to offset it by putting ~ in front. Very strange. -- Tony Laszlo irc://irc.freenode.net/issho http://www.issho.org/LaszloBlog |
|
From: Joby W. <joby@u.washington.edu> - 2004-01-22 15:38:02
|
For actual authentication, I think we should avoid the stacked system. But we
probably want to keep the stacking of Anon and Bogo if they are defined.
jbw
Reini Urban wrote:
> Hi
> I'm just finishing the new wikiuser authcode and came to this question:
>
> In the current code the authentification methods are "stacked", that
> means, that the methods are searched in a predefined search order
> (e.g. Anon or Bogo or HomePage password => ldap => imap => http_auth).
>
> The first method which returns true is taken. False is only returned if
> all defined methods will fail.
>
> With my new code we allow even more auth methods:
> internal db, external db, file
>
> Now how should the admin configure his authentification:
> 1) Should he be able to define the search order?
> 2) Should he be able to define stacked (policy c) or strict (policy b)
> or pre-defined method order (policy a)?
>
> The problem is that the user may exist with the current method but the
> password is wrong, which brings him to the next method. This might not
> be wished for certain auth methods were the username and password must
> match and no other methods may be tried if the username exists in the
> databse but with the wrong password. For example the database password
> is wrong, but a file password matches is ok.
>
> Currently the order of first three methods is fixed:
> Anon if defined, Bogo if defined, User if defined.
> Those three methods are stacked.
>
> With the new methods in the new auth classes (called if
> ALLOW_USER_PASSWORDS is defined and the previous methods failed) one
> could define policy c: a stacked scheme ("try next method if it fails"),
> or policy b: a stricter scheme ("check user and if she exists the
> password, on failure try no other methods").
> To make thing even more complicate my current code makes use of only one
> pre-defined external auth method (policy a), which simply upgrades the
> user class in the constructor, and not in the checkUser() or
> UserExists() methods.
>
> How to define the auth policies in index.php?
>
> One could easily define a new config variable like
> define('FAIL_ON_WRONG_PASSWORD',true);
> which defines the strict scheme, and if not defined
> the stacked scheme will be used.
> The simple problem is that then we will have to define one more method
> for all user classes:
> $user->UserExists():
> Currently we need only ->checkPass() and optionally ->storePass().
>
> The code for a simple predefined scheme, (not-stacked) scheme is now
> ready, were only one auth method is predefined, for all users.
|
|
From: Reini U. <ru...@x-...> - 2004-01-23 18:16:20
Attachments:
index.excerpt
WikiUserNew.php
|
Since I liked all solutions I implemented all auth methods and policies, with the correct auth method dispatchers. It worked okay, until I disallowed ALLOW_ANON_USER (and/or ALLOW_BOGO_USER). since then we have no user object and therefore no pref object. This will need some more work. I added yet another auth policy "old", which mimics the current behaviour, and tries to be smart with the given auth options and available php functions. Attached is the corresponding index.php excerpt, and the new classes, without the minor neccessary main.php changes. developers: please review it. PS: maybe it's just me, but the cvs.sf.net ssh connection is very unstable in the last weeks, and I cannot do cvs up, cvs diff or cvs commit lib/WikiUserNew.php. and the host keys did change almost every day, which is a pain with openssh. Reini Urban schrieb: > Hi > I'm just finishing the new wikiuser authcode and came to this question: > > In the current code the authentification methods are "stacked", that > means, that the methods are searched in a predefined search order > (e.g. Anon or Bogo or HomePage password => ldap => imap => http_auth). > > The first method which returns true is taken. False is only returned if > all defined methods will fail. > > With my new code we allow even more auth methods: > internal db, external db, file > > Now how should the admin configure his authentification: > 1) Should he be able to define the search order? > 2) Should he be able to define stacked (policy c) or strict (policy b) > or pre-defined method order (policy a)? > > The problem is that the user may exist with the current method but the > password is wrong, which brings him to the next method. This might not > be wished for certain auth methods were the username and password must > match and no other methods may be tried if the username exists in the > databse but with the wrong password. For example the database password > is wrong, but a file password matches is ok. > > Currently the order of first three methods is fixed: > Anon if defined, Bogo if defined, User if defined. > Those three methods are stacked. > > With the new methods in the new auth classes (called if > ALLOW_USER_PASSWORDS is defined and the previous methods failed) one > could define policy c: a stacked scheme ("try next method if it fails"), > or policy b: a stricter scheme ("check user and if she exists the > password, on failure try no other methods"). > To make thing even more complicate my current code makes use of only one > pre-defined external auth method (policy a), which simply upgrades the > user class in the constructor, and not in the checkUser() or > UserExists() methods. > > How to define the auth policies in index.php? > > One could easily define a new config variable like > define('FAIL_ON_WRONG_PASSWORD',true); > which defines the strict scheme, and if not defined > the stacked scheme will be used. > The simple problem is that then we will have to define one more method > for all user classes: > $user->UserExists(): > Currently we need only ->checkPass() and optionally ->storePass(). > > The code for a simple predefined scheme, (not-stacked) scheme is now > ready, were only one auth method is predefined, for all users. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
|
From: Joby W. <joby@u.washington.edu> - 2004-01-23 21:07:08
|
Me too, I can't even get a cvs update to work. jbw Reini Urban wrote: > PS: maybe it's just me, but the cvs.sf.net ssh connection is very > unstable in the last weeks, and I cannot do > cvs up, cvs diff or cvs commit lib/WikiUserNew.php. > > and the host keys did change almost every day, which is a pain with > openssh. > |
|
From: Joby W. <joby@u.washington.edu> - 2004-01-23 21:14:19
|
http://sitedocs.sourceforge.net/status/support_sitestatus.html ( 2004-01-23 10:06:09 - Project CVS Service ) Developer CVS access will be offline for 2004-01-23, continuing in to the weekend, to permit the resync of data to complete; it was previously determined that developer CVS access had a severe impact on the speed of our data resync. Developer CVS access will be restored immediately after the sync completes. Your patience is appreciated. Questions and concerns may be directed to the SF.net team via Support Request. jbw |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X