Difference between revisions of "password"

From GeneWeb
Jump to: navigation, search
(Passwords (en) pass 1)
 
m (= Transmitting user/pass in the url)
 
(15 intermediate revisions by 2 users not shown)
Line 3: Line 3:
  
 
Access to the content of a base is controlled through several mechanisms:
 
Access to the content of a base is controlled through several mechanisms:
* A server level access control limiting access to a list of persons, verified by a password
+
* A '''server level access control''' limiting access to a list of persons, verified by a password;
* A base level access control limiting access to a list of persons, verified by a password
+
* A '''base level access control''' limiting access to a list of persons, verified by a password.
 
These two mechanisms restrict to a known list the possible visitors to a base. See [[Access]] for details.
 
These two mechanisms restrict to a known list the possible visitors to a base. See [[Access]] for details.
* A generic of specific password mechanism giving to some visitors the status of:
+
* A ''generic'' of ''specific'' password mechanism giving to some visitors the status of:
** Wizard: having total read and write access to the base content
+
** '''Wizard''': having total read and write access to the base content;
** Friend: having total read access to the content of the base
+
** '''Friend''': having total read access to the content of the base;
** Visitors: (default status) having limited access to the content of the base (persons older than years old, as defined by {{c| }} in the [[configuration|configuration]] file {{c|basename.gwf}}. default is 150 years).
+
** '''Visitors''': (default status) having limited access to the content of the base (persons older than some value, as defined by {{c|private_years}} in the [[configuration]] file {{c|basename.gwf}}. Default is 150 years).
 +
:: Visitors have also access to persons tagged as "public", as defined in [[#Update a person|Update a person]].
  
 
== Generic access ==
 
== Generic access ==
Line 17: Line 18:
 
  wizard_passwd=
 
  wizard_passwd=
  
Two syntaxes are possible  
+
Two syntaxes are possible for the value of this parameter:
 
* {{c|username:password}}: in this case all users share the same username/password pair;
 
* {{c|username:password}}: in this case all users share the same username/password pair;
* {{c|password}}: in this case, no username need to be supplied.
+
* {{c|password}}: in this case, username is optionnal and left to the choice of the user.
 +
: note that {{c|username}} is displayed on some GeneWeb pages such as the {{c|welcome.txt}} page.
  
For instance, the {{c|grimaldi.gwf}} configuration file os the GeneWeb test base contains:
+
For instance, the {{c|grimaldi.gwf}} configuration file of the GeneWeb test base contains:
 
  friend_passwd=grimaldi:friend
 
  friend_passwd=grimaldi:friend
 
  wizard_passwd=grimaldi:wizard
 
  wizard_passwd=grimaldi:wizard
 +
 +
Depending on the template, user authentification is achieved through direct entry of {{c|username:password}} in the appropriate input line, or through clicking on a "friend" or "wizard" button, in which case the browser will pop-up a small window with two entry lines for the {{c|username}} and the {{c|password}}. In this case, the {{c|:}} is simply ignored.
  
 
Note that the access control pop-up window of GeneWeb may offer in some context a single capture field rather that two. In this case, one should entre the full {{c|username:password]] sequence (or {{c|password}} if there is no username).
 
Note that the access control pop-up window of GeneWeb may offer in some context a single capture field rather that two. In this case, one should entre the full {{c|username:password]] sequence (or {{c|password}} if there is no username).
Line 29: Line 33:
 
== Specific access ==
 
== Specific access ==
  
Specific access control is achieved by defining files containing username:password pairs. The names of those files are directly defined in the [[configuration]] file {{c|basename.gwf}}:
+
Specific access control is achieved by defining files containing {{c|username:password}} pairs (usually with extension {{c|.auth}}). The names of those files are directly defined in the [[configuration]] file {{c|basename.gwf}} and should reside in the {{c|bases}} folder. There can be several files for several bases:
 
  friend_passwd_file=
 
  friend_passwd_file=
 
  wizard_passwd_file=
 
  wizard_passwd_file=
  
The systax of those fiels is as follows:
+
The syntax of those files is as follows:
 
  username:password 
 
  username:password 
 
  username:password:comment
 
  username:password:comment
Line 44: Line 48:
  
 
When both specific access and generic access are specified in the [[configuration]] file {{c|basename.gwf}}, the specific access mechanism takes precedence.
 
When both specific access and generic access are specified in the [[configuration]] file {{c|basename.gwf}}, the specific access mechanism takes precedence.
 +
 +
== Transmitting user/pass in the url ==
 +
 +
It is possible to send to the server the username/password pair within the request:
 +
 +
  http://host:2317/Basename?request&w=username:password
 +
 +
In this example, {{c|request}} can be any legitimate GeneWeb request.
 +
The only drawback of this method is that the password is transmitted to the server in the clear!!
 +
 +
== Access control in CGI mode ==
 +
When in CGI mode, the access controls described above are operational, and are redundant with other authentication methods proposed by the web server such as {{c|.htaccess}} files with Apache.
 +
 +
As {{c|.htaccess}} allows access control through a list of {{c|username/password}} entries, visitors without a password already don’t have access to databases. In GeneWeb, it is better to set {{c|1=friend_passwd=}} to null to avoid a second authentication for friends while maintaining a password (or passwords file) for wizards who will need to get authenticated a second time.
 +
 +
{{manual}}
 +
 +
[[Category:Manual]]

Latest revision as of 13:02, 5 May 2018

150px-Geographylogo svg.png Language: English • français

Access to the content of a base is controlled through several mechanisms:

  • A server level access control limiting access to a list of persons, verified by a password;
  • A base level access control limiting access to a list of persons, verified by a password.

These two mechanisms restrict to a known list the possible visitors to a base. See Access for details.

  • A generic of specific password mechanism giving to some visitors the status of:
    • Wizard: having total read and write access to the base content;
    • Friend: having total read access to the content of the base;
    • Visitors: (default status) having limited access to the content of the base (persons older than some value, as defined by private_years in the configuration file basename.gwf. Default is 150 years).
Visitors have also access to persons tagged as "public", as defined in Update a person.

Generic access

Generic access is directly defined in the configuration file basename.gwf:

friend_passwd=
wizard_passwd=

Two syntaxes are possible for the value of this parameter:

  • username:password: in this case all users share the same username/password pair;
  • password: in this case, username is optionnal and left to the choice of the user.
note that username is displayed on some GeneWeb pages such as the welcome.txt page.

For instance, the grimaldi.gwf configuration file of the GeneWeb test base contains:

friend_passwd=grimaldi:friend
wizard_passwd=grimaldi:wizard

Depending on the template, user authentification is achieved through direct entry of username:password in the appropriate input line, or through clicking on a "friend" or "wizard" button, in which case the browser will pop-up a small window with two entry lines for the username and the password. In this case, the : is simply ignored.

Note that the access control pop-up window of GeneWeb may offer in some context a single capture field rather that two. In this case, one should entre the full {{c|username:password]] sequence (or password if there is no username).

Specific access

Specific access control is achieved by defining files containing username:password pairs (usually with extension .auth). The names of those files are directly defined in the configuration file basename.gwf and should reside in the bases folder. There can be several files for several bases:

friend_passwd_file=
wizard_passwd_file=

The syntax of those files is as follows:

username:password 
username:password:comment
username:password:full name:comment
username:password:first-name /last-name:comment

The full name appears in the wizard page, alphabetically sorted. The / helps define the sorting position in the case of compound names. For instance: louis:xyz:Louis de /Broglie will be sorted at letter B and appear as Broglie (Louis de).

When both specific access and generic access are specified in the configuration file basename.gwf, the specific access mechanism takes precedence.

Transmitting user/pass in the url

It is possible to send to the server the username/password pair within the request:

 http://host:2317/Basename?request&w=username:password

In this example, request can be any legitimate GeneWeb request. The only drawback of this method is that the password is transmitted to the server in the clear!!

Access control in CGI mode

When in CGI mode, the access controls described above are operational, and are redundant with other authentication methods proposed by the web server such as .htaccess files with Apache.

As .htaccess allows access control through a list of username/password entries, visitors without a password already don’t have access to databases. In GeneWeb, it is better to set friend_passwd= to null to avoid a second authentication for friends while maintaining a password (or passwords file) for wizards who will need to get authenticated a second time.


GeneWeb Manual

Rembrandt Old Man Reading a Book.jpg

Use and manage genealogical databases

Technical annex