How Authentication works with MoinMoin

MoinMoin historically has used some cookie-based authentication: you log in via the form on page UserPreferences, moin sets a cookie and from then on this cookie is used for authenticating you - until you log off and the cookie gets deleted (or until the cookie expires).

For running moin in corporate environments this is often no option as access restrictions have to be enforced reliably. Starting with 1.3 moin could also use HTTP basic auth based authentication, when being run with some web servers (like Apache) supporting it.

Starting with 1.5 moin now has freely configurable and kind of modular authentication. You use the auth configuration value to set up a list of authentication methods that are processed in exactly that order.

When an external user database is used you do not want to recreate all users in moin. For this case the configuration option user_autocreate was added to moin 1.5. If you set it to True a new user profile will be created automatically when a new user has passed authentication (and the auth method supports auto creation).

Presently the following authentication methods are supported:

Other "auth" methods

These are not strictly auth methods, as they don't authenticate users, but use auth information for other purposes:

MoinMoin.auth.interwiki is unfinished, experimental code - don't use.

Shipped plugins

moin_cookie auth (default)

   1     from MoinMoin.auth import moin_cookie
   2     auth = [moin_cookie]

This is the default auth list moin uses (so if you just want that, you don't need to configure it). It means that moin just tries to use the MOIN_ID cookie as it ever did.

For doing that, moin will just call the MoinMoin.auth.moin_cookie function. This function will look if there is a valid cookie:

http auth

To activate http authentication you have to add following lines to wikiconfig.py:

   1     from MoinMoin.auth import http
   2     auth = [http]

For HTTP basic auth used with a web server like Apache, the web server handles authentication before moin gets called. You either enter a valid username and password or your access will be denied by the web server.

So moin's http auth method will just check if user authentication happened:

Well, in reality, it is a bit more complicated indeed:

sslclientcert auth

To activate authentication via SSL client certificates you have to add following lines to wikiconfig.py:

   1     from MoinMoin.auth import sslclientcert
   2     auth = [sslclientcert]

For SSL client certificate auth used with a web server like Apache, the web server handles authentication before moin gets called. You either have a valid SSL client certificate or your access will be denied by the web server.

So moin's sslclientcert auth method will just check if user authentication happened:

php_auth

To activate Single-Sign-On integration with PHP applications, use this module. It reads PHP session files and therefore directly integrates with existing PHP authentication systems.

To use this module, use the following lines of code in your configuration:

   1     from MoinMoin.auth import php_auth
   2     auth = [php_auth()]

php_auth has the following parameters:

   1 php_auth(apps=['egw'], s_path="/tmp", s_prefix="sess_")

The only supported PHP application is eGroupware 1.2 currently. But it should be fairly easy to add a few lines of code that extract the necessary information from the PHP session.

Combining multiple auth methods

For combining e.g. http and cookie authentication, your wikiconfig.py might contain:

   1     from MoinMoin.auth import http, moin_cookie
   2     auth = [http, moin_cookie]

In this example, moin will first check if the http auth method gives a valid user. If yes, it will use just that. If not and continue_flag returned by http auth method is True, it will continue checking other auth list method - moin_cookie in this case... ( /!\ needs update /!\ )

Making your own auth method

See the commented config file fragment contrib/auth_externalcookie/ and MoinMoin/auth.py in your moin distribution archive for examples of how to do authentication.

Here is just a short summary of what's currently possible:

HelpOnAuthentication (zuletzt geƤndert 2007-02-06 21:31:34)