Item3483: Error logging in when there is apache login and DENYWEBVIEW

Temporary Fix for Download

• Download http://svn.twiki.org/pub/Bugs/Item3483/ApacheLogin.pm
• Replace the file at lib/TWiki/Client/ApacheLogin.pm

This fix may be improved over time but it works at it should.

-- TWiki:Main.KennethLavrsen - 23 Jan 2007

I am running a TWiki where Apache takes care of the authentication from a LDAP server (not LDAP plugin!). And there is no password manager.

When I lookup a URL like

http://ehc.comm.mot.com/twiki/bin/view/Sandbox/TestTopic1

Then I am prompted for a password which I enter.

The browser is then redirected to

http://ehc.comm.mot.com/twiki/bin/oops/Sandbox/TestTopic1/Sandbox/TestTopic1?template=oopsaccessdenied;def=no_such_web;param1=view

which creates a horrible garbage page

There is something very wrong in this redirect URL.

I am however now authenticated. If I look up the original URL http://ehc.comm.mot.com/twiki/bin/view/Sandbox/TestTopic1 again then I am taken correctly to the page and all is working.

This repeats itself if I open a new browser window.

I cannot see what I have done wrong in the configuration. This is causing serious problems for us.

KJL

I can reproduce the problem with my test server at home without LDAP and just plain Apache login.

Just go to WebPreferences and set * Set DENYWEBVIEW = Main.TWikiGuest

This forces authentication on normal viewing. And then you end up with access denied.

The error I get is The "Myweb/WebHome/Myweb" web does not exist

So there is a generic bug which urgently needs a fix

What code inserts the web name twice in the redirect?

KJL

If I look up the URL with viewauth instead of view the error does not occur. So the problem happens when view redirects to viewauth.

To reproduce

• Setup your TWiki with Apache Login instead of Template Login.
• Set a web up so guest has no read access by setting Set DENYWEBVIEW = Main.TWikiGuest in WebPreferences.
• Lookup a URL in this web. For example the WebHome
• Login with a valid username and password
• Observe the error.

KJL

I tracked down the bug to be within lib/TWiki/Client/ApacheLogin.pm

I tried to put the TWiki4.0.5 version into my TWiki4.1.0 and then all works again.

KJL

Further narrowed down the difference.

It is the function sub forceAuthentication { that I need to downgrade to 4.0 to make it work again.

KJL

Found the code line. In lib/TWiki/Client/ApacheLogin.pm there is a codeline

$url .= '/' . $ENV{PATH_INFO} if $ENV{PATH_INFO};

which appends the extra web/topic to the url. Why is this code line there? What was is intended to do? If I remove it - Apachelogin seems to work. At least here at the office.

I will check this more when I come home to see that it also works on the home server.

KJL

I am testing my fix and so far it seems to be correct.

There are some conditions in the code that I cannot reproduce and therefore not test of those combinations work. They may be non-existing or may be used with different webserver than Apache. I cannot tell.

I just observed that even a simple ALLOWTOPICVIEW in a topic triggers the error. It seems we have all tested ALLOWTOPICCHANGE and not view for a long time.

KJL

Note that in a svn checkout you have to manually create a symbolic link called viewauth pointing to view to reproduce this. Here on bugs it seems to not be the case.

KJL

As far as I can see the $url . '/' . $ENV{PATH_INFO} if $ENV{PATH_INFO};= should probably not be deleted but moved up inside an else condition. I am still not sure where. But where it is now is wrong.

KJL

I have checked in what I believe is a fix. I compared with the 4.0.5 code and I think I understand what the code was supposed to do now. But I still need to investigate some strange behavours.

• Why does URL parameters get listed twice when you use a URL with parameters?
• If I try to test for the two other conditions in the IF by making the first if( $url && $url =~ s/\/$scriptName/\/${scriptName}auth/ ) false then the URL gets the absolute path of the bin directory appended as a url parameter. It does not harm. It works. Why is this appended and where does it come from?

There is some bug hiding behind the curtain.

KJL

I believe I understand. See http://koala.ilog.fr/twikiirc/bin/irclogger_log/twiki?date=2007-01-29,Mon&sel=614#l610

CC

Fixed.

the following ended up being broken in this and Item3533

in ApacheLogin.pm there are 3 different types of environments depending on Apache version and short URL setups.

• $url .= '/' . $ENV{PATH_INFO} if $ENV{PATH_INFO} was added in all 3 cases but is only needed in two of them. The result was that the web and topic name was appended twice in the most normal case.
• The query string was sent to the redirect. This was originally OK. But after Thomas Weigert added the feature that maintains the query string across redirects the query string needs to be stripped off since it is added later in the redirect function
• Typo in a code line was correct in the first code fix and later replaced by a new code line.
• The redirect did not work with script suffix. A regex was too greedy so that the script name became view.pl and the auth version became view.plauth

In TWiki.pm redirect sub

• A regex was run without checking if a match was happening. The result was that an unrelated value in $1 ended up as an appended as a query string depending on what had occured earlier in ApacheLogin.

Thanks to Crawford for helping finding the latter. That was a tough one.

Fix has been merged into Patch04x01

-- TWiki:Main.KennethLavrsen - 30 Jan 2007