[Moin-user] Problem with GivenAuth configuration, through Apache digest?

[fero14041]

Hi, list!

Sorry for the delay, I only could perform tests this afternoon.
As I previously supposed, Paul already pointed out my problem,
a misunderstood of how Apache authenticates users on resources.
Problem solved!

Thanks for the help, it was a real pleasure!
(I have written more personal messages to Lars and Paul hereafter.)

Cheers,

-- fero14041


@Lars:

> thanks for giving all the details, but somehow I missed the specific erroneous
> behaviour that you observed.
> Does the webserver return http status 500? Are you rejected by http-auth?
> Do you see a python traceback from MoinMoin? Do you fail to see any login
> dialog at all?

Well, I'd liked to have both users authenticated by Apache digest,
and some others with accounts specific to Moin.
I was quite influeced by how Trac manages this case, where simply requiring
a valid Apache digest user to ``trac/login`` automagically logs her.
I tried to reproduce this behavior with Moin, unsuccessfully because my approach
was (very) naive.

It was easy to create a Moin's page named "login", asking Apache to
authorize only valid users
accessing it, and add in this Moin's page a redirection to wiki's root.
But doing so effectively log user through REMOTE_USER, only in the short time
*before* redirection, as Paul has pointed it out, where the remote
user was left.
So in log, I saw a brief apparition of user and then left login.
And I did not understand how this was possible
-- and the logs did not report any error, of course, as there was none
(in Moin and Apache, at least)

The error was (only) in my mind, thinking that login through Apache
for this page
also enabled its preservation across parent domain, and so across all
wiki's pages.
Trac probably uses a system such as cookies to get a trace of user session.

As my mistake is now well identified, there is no more problem.
Anyway, thanks again for taking time to examine all the details I provided,
and searching to help me!


@Paul:

> This only enforces authentication for the login resource, meaning that you
> only ever activate authentication for that resource, and the credentials
> never get passed to the Wiki for anything else, such as /wiki/FrontPage and
> so on.
>
> HTTP authentication can be infuriating in cases like this. If you change the
> above to this...
>
><Location /wiki>
>    Require valid-user
></Location>
>
>...then you won't be able to let users in without authenticating with Apache.
>Thus, logging in using Apache becomes "all or nothing".

This is exactly what I did not understood until I red your explanation!
Thank you so much, you problem identifier ;-)
I searched in the wrong place, influenced (as I explained above to Lars)
by how I configure Trac's instance (and that it works fine),
which probably let a cookie to trac user's session.

The two ways you explained, to allow both users logged by Apache and
others by Moin
(allow two different accesses to same wiki, or use an authentication token)
are interesting, and I'll keep them in mind. And let my users choose
how they will use the wiki before moving forward, before exploring one
way or the other:
maybe our needs are not so big, and allowing externals users
contribute to the wiki
a too much sooner feature...

Anyway, thank you again for the relevance and clarity of your explanations!
(And your appreciation of my froggyied English ;-)