hi, I am working on developing some auth extensions these days. Now I have already done halt of my project. I extended a new class from AuthPlugin and write my code in it, it works fine. But I want to do more on this. For example, I wanna make Mediawiki login automaticlly when I logged in other applications. When I logged in an other application, the application would call a file in Mediawiki, for example, I installed my forum in forum.xxxxx.org and mediawiki in wiki.xxxxx.org, when I logged in forum, the forum would access http://wiki.xxxxx.org/myapi.php automatically and POST user ID to it. Now I must make myapi.php to set a session to make mediawiki show the user has been logged in. I have read the Mediawiki API but it cannot satisfy me, because it need some more information which I cannot supply such like users password. So is there anyway to make a user logged in without a clear-text password? thx!!
BTW: I found another problem on a class which extended from AuthPlugin. When I 'echo' something in function authenticate($username, $password) it wont shown on page. Only when I added exit(); to stop program running, my message can be shown. For example, If I use this code: function authenticate($username, $password){ echo 'aaaaaaaaaaaaaaaaaaaaaaa'; //Do something to auth return true; } Nothing would shown, it would redirected to LoginComplete page directly. And also, if I use a hook: $wgHooks['UserLoginComplete'][] = 'WMHook_UserLoginComplete'; and 'echo' something in function WMHook_UserLoginComplete(): function WMHook_UserLoginComplete(&$user, &$inject_html){ $uid = $user->getId(); echo $uid; return true; } Nothing would be shown. If I modified the $inject_html like: function WMHook_UserLoginComplete(&$user, &$inject_html){ $inject_html = 'aaaaaaaaaaaaaaaaaa'; return true; } Whatever value I passed to $inject_html execpt empty string would cause Mediawiki stop working. Nothing would shown and the program was stop. Could you tell me why this happed? thx
-------------- Bear 2010-08-12
Bear wrote:
hi, I am working on developing some auth extensions these days. Now I have already done halt of my project. I extended a new class from AuthPlugin and write my code in it, it works fine. But I want to do more on this. For example, I wanna make Mediawiki login automaticlly when I logged in other applications. When I logged in an other application, the application would call a file in Mediawiki, for example, I installed my forum in forum.xxxxx.org and mediawiki in wiki.xxxxx.org, when I logged in forum, the forum would access http://wiki.xxxxx.org/myapi.php automatically and POST user ID to it. Now I must make myapi.php to set a session to make mediawiki show the user has been logged in. I have read the Mediawiki API but it cannot satisfy me, because it need some more information which I cannot supply such like users password. So is there anyway to make a user logged in without a clear-text password? thx!!
No need to do that: http://www.mediawiki.org/wiki/Manual:Hooks/UserLoadFromSession
BTW: I found another problem on a class which extended from AuthPlugin. When I 'echo' something in function authenticate($username, $password) it wont shown on page. Only when I added exit(); to stop program running, my message can be shown. For example, If I use this code: function authenticate($username, $password){ echo 'aaaaaaaaaaaaaaaaaaaaaaa'; //Do something to auth return true; } Nothing would shown, it would redirected to LoginComplete page directly. And also, if I use a hook: $wgHooks['UserLoginComplete'][] = 'WMHook_UserLoginComplete'; and 'echo' something in function WMHook_UserLoginComplete(): function WMHook_UserLoginComplete(&$user, &$inject_html){ $uid = $user->getId(); echo $uid; return true; } Nothing would be shown. If I modified the $inject_html like: function WMHook_UserLoginComplete(&$user, &$inject_html){ $inject_html = 'aaaaaaaaaaaaaaaaaa'; return true; } Whatever value I passed to $inject_html execpt empty string would cause Mediawiki stop working. Nothing would shown and the program was stop. Could you tell me why this happed? thx
Because you are being redirected. Set $wgDebugRedirects = true; in LocalSettings to see them.
hi, I am very thankful you can reply me, but your solution looks not comfort me. I am using a Central Auth System to manage all user authcation. So when user are authenticated by this system, they should be logged in Mediawiki automatically. The system would access a .php file in Mediawiki such like http://wiki.xxxxx.org/myapi.org . So I must use this file to set mediawiki session. Could you tell me how to do? thx!
------------------ Bear 2010-08-12
------------------------------------------------------------- From:Platonides Send Date:2010-08-12 17:35:33 To:wikitech-l CC: Subject:Re: [Wikitech-l] How to login a user without password?
Bear wrote:
hi, I am working on developing some auth extensions these days. Now I have already done halt of my project. I extended a new class from AuthPlugin and write my code in it, it works fine. But I want to do more on this. For example, I wanna make Mediawiki login automaticlly when I logged in other applications. When I logged in an other application, the application would call a file in Mediawiki, for example, I installed my forum in forum.xxxxx.org and mediawiki in wiki.xxxxx.org, when I logged in forum, the forum would access http://wiki.xxxxx.org/myapi.php automatically and POST user ID to it. Now I must make myapi.php to set a session to make mediawiki show the user has been logged in. I have read the Mediawiki API but it cannot satisfy me, because it need some more information which I cannot supply such like users password. So is there anyway to make a user logged in without a clear-text password? thx!!
No need to do that: http://www.mediawiki.org/wiki/Manual:Hooks/UserLoadFromSession
BTW: I found another problem on a class which extended from AuthPlugin. When I 'echo' something in function authenticate($username, $password) it wont shown on page. Only when I added exit(); to stop program running, my message can be shown. For example, If I use this code: function authenticate($username, $password){ echo 'aaaaaaaaaaaaaaaaaaaaaaa'; //Do something to auth return true; } Nothing would shown, it would redirected to LoginComplete page directly. And also, if I use a hook: $wgHooks['UserLoginComplete'][] = 'WMHook_UserLoginComplete'; and 'echo' something in function WMHook_UserLoginComplete(): function WMHook_UserLoginComplete(&$user, &$inject_html){ $uid = $user->getId(); echo $uid; return true; } Nothing would be shown. If I modified the $inject_html like: function WMHook_UserLoginComplete(&$user, &$inject_html){ $inject_html = 'aaaaaaaaaaaaaaaaaa'; return true; } Whatever value I passed to $inject_html execpt empty string would cause Mediawiki stop working. Nothing would shown and the program was stop. Could you tell me why this happed? thx
Because you are being redirected. Set $wgDebugRedirects = true; in LocalSettings to see them.
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I am very thankful you can reply me, but your solution looks not comfort me. I am using a Central Auth System to manage all user authcation. So when user are authenticated by this system, they should be logged in Mediawiki automatically. The system would access a .php file in Mediawiki such like http://wiki.xxxxx.org/myapi.org . So I must use this file to set mediawiki session. Could you tell me how to do? thx!
Does your central system require you to access a php file like that, or is this an arbitrary requirement that you believe you need? If this isn't really a requirement, you'll want to write an auto-authentication plugin that verifies the credentials from the central system, and creates a session in MediaWiki. This plugin should also create users when they access the wiki as well.
Here's an example of an auto-authentication plugin:
http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/LdapAuthenticatio n/LdapAutoAuthentication.php?view=markup
This plugin assumes you have a regular authentication plugin doing something as well. Here's one that is standalone:
http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER
Note that in both of these, the user is assumed to have already logged into the central authentication system, and the web server is handling the actual authentication. Here's an extension that changes the login and logout links to redirect to the central system (warning, it is CDDL licensed, which is incompatible with the GPL!):
http://blogs.sun.com/superpat/entry/opensso_single_sign_on_extension
Respectfully,
Ryan Lane
Note that in both of these, the user is assumed to have already logged into the central authentication system, and the web server is handling the actual authentication. Here's an extension that changes the login and logout links to redirect to the central system (warning, it is CDDL licensed, which is incompatible with the GPL!):
http://blogs.sun.com/superpat/entry/opensso_single_sign_on_extension
Here's an example that is GPL licensed, that does essentially the same thing as the above:
http://www.mediawiki.org/wiki/Extension:CASAuthentication
V/r,
Ryan Lane
hi, I am very very thankful you can supply me such rich information. I have read them carefully and found they are not comfort my situation. The Central Auth System I use is not developed by me. So I must do my project in its framework. When one user login in a application such like a forum, the forum would ask the central auth system if the username and password which supplied by user is match. When this is okay, it would call a function which provided by this central auth system. This function will access the myapi.php in each applications which configured with this central auth system and pass User_ID by POST. So I have to write a myapi.php for mediawiki to create a session with the uid it supplied. I am not good at English and I hope you can understand my meanning. thx!
--------------- Bear 2010-08-12
------------------------------------------------------------- From:Lane, Ryan Send Date:2010-08-12 21:54:21 To:Wikimedia developers CC: Subject:Re: [Wikitech-l] How to login a user without password?
X-Uidl: GmailId12a6694788dbab50&&pop.gmail.com Delivered-To: jilingshu@gmail.com Received: by 10.150.43.19 with SMTP id q19cs106381ybq; Thu, 12 Aug 2010 06:54:21 -0700 (PDT) Received: by 10.213.40.75 with SMTP id j11mr7270999ebe.28.1281621260676; Thu, 12 Aug 2010 06:54:20 -0700 (PDT) Return-Path: wikitech-l-bounces@lists.wikimedia.org Received: from lists.wikimedia.org (lists.wikimedia.org [91.198.174.5]) by mx.google.com with ESMTP id b60si3757558eei.69.2010.08.12.06.54.19; Thu, 12 Aug 2010 06:54:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of wikitech-l-bounces@lists.wikimedia.org designates 91.198.174.5 as permitted sender) client-ip=91.198.174.5; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of wikitech-l-bounces@lists.wikimedia.org designates 91.198.174.5 as permitted sender) smtp.mail=wikitech-l-bounces@lists.wikimedia.org Received: from localhost ([127.0.0.1]:57644 helo=lily.esams.wikimedia.org) by lily.knams.wikimedia.org with esmtp (Exim 4.69) (envelope-from wikitech-l-bounces@lists.wikimedia.org) id 1OjYEU-00063Q-L2; Thu, 12 Aug 2010 13:54:11 +0000 Received: from navofw.navo.navy.mil ([128.160.199.100]:14750 helo=ocean2.ocean.navo.navy.mil) by lily.knams.wikimedia.org with esmtp (Exim 4.69) (envelope-from Ryan.Lane@ocean.navo.navy.mil) id 1OjYEO-00061E-Uj for wikitech-l@lists.wikimedia.org; Thu, 12 Aug 2010 13:54:06 +0000 Received: from Ocean2.ocean.navo.navy.mil ([2002:80a0:a553::80a0:a553]) by Ocean2.ocean.navo.navy.mil ([2002:80a0:a553::80a0:a553]) with mapi; Thu, 12 Aug 2010 08:54:01 -0500 From: "Lane, Ryan" Ryan.Lane@ocean.navo.navy.mil To: Wikimedia developers wikitech-l@lists.wikimedia.org Thread-Topic: [Wikitech-l] How to login a user without password? Thread-Index: AQHLObie6u3yp2mSrUKST4Z+Ta89aZLdoc8FgAAznNA= Date: Thu, 12 Aug 2010 13:54:00 +0000 Message-ID: 7FF208A2F1E6004D8F7BDC10A103C34A35C357@Ocean2.ocean.navo.navy.mil References: 201008120850417622420@Gmail.com 201008121837568563457@Gmail.com In-Reply-To: 201008121837568563457@Gmail.com Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: MIME-Version: 1.0 X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: Re: [Wikitech-l] How to login a user without password? X-BeenThere: wikitech-l@lists.wikimedia.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Wikimedia developers wikitech-l@lists.wikimedia.org List-Id: Wikimedia developers <wikitech-l.lists.wikimedia.org> List-Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikitech-l, mailto:wikitech-l-request@lists.wikimedia.org?subject=unsubscribe List-Archive: http://lists.wikimedia.org/pipermail/wikitech-l List-Post: mailto:wikitech-l@lists.wikimedia.org List-Help: mailto:wikitech-l-request@lists.wikimedia.org?subject=help List-Subscribe: https://lists.wikimedia.org/mailman/listinfo/wikitech-l, mailto:wikitech-l-request@lists.wikimedia.org?subject=subscribe Content-Type: multipart/mixed; boundary="===============9179145024861882871==" Mime-version: 1.0 Sender: wikitech-l-bounces@lists.wikimedia.org Errors-To: wikitech-l-bounces@lists.wikimedia.org
--===============9179145024861882871== Content-Language: en-US Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0073_01CB39FB.E5B303C0"
------=_NextPart_000_0073_01CB39FB.E5B303C0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
I am very thankful you can reply me, but your solution looks not comfort me. I am using a Central Auth System to manage all user authcation. So when user are authenticated by this system, they should be logged in Mediawiki automatically. The system would access a .php file in Mediawiki such like http://wiki.xxxxx.org/myapi.org . So I must use this file to set mediawiki session. Could you tell me how to do? thx!
Does your central system require you to access a php file like that, or is this an arbitrary requirement that you believe you need? If this isn't really a requirement, you'll want to write an auto-authentication plugin that verifies the credentials from the central system, and creates a session in MediaWiki. This plugin should also create users when they access the wiki as well.
Here's an example of an auto-authentication plugin:
http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/LdapAuthenticatio n/LdapAutoAuthentication.php?view=markup
This plugin assumes you have a regular authentication plugin doing something as well. Here's one that is standalone:
http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER
Note that in both of these, the user is assumed to have already logged into the central authentication system, and the web server is handling the actual authentication. Here's an extension that changes the login and logout links to redirect to the central system (warning, it is CDDL licensed, which is incompatible with the GPL!):
http://blogs.sun.com/superpat/entry/opensso_single_sign_on_extension
Respectfully,
Ryan Lane
------=_NextPart_000_0073_01CB39FB.E5B303C0--
--===============9179145024861882871== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l --===============9179145024861882871==--
I am very very thankful you can supply me such rich information. I have read them carefully and found they are not comfort my situation. The Central Auth System I use is not developed by me. So I must do my project in its framework. When one user login in a application such like a forum, the forum would ask the central auth system if the username and password which supplied by user is match. When this is okay, it would call a function which provided by this central auth system. This function will access the myapi.php in each applications which configured with this central auth system and pass User_ID by POST. So I have to write a myapi.php for mediawiki to create a session with the uid it supplied. I am not good at English and I hope you can understand my meanning. thx!
Ok. I understand the requirement now. Note that the last extension I linked to has code that creates a session for a user. You can use it as an example. It also has an example of creating a user in the database, which you'll need to do as well.
Note that this sounds like a really insecure system if done improperly. I hope the central auth server has some way of authenticating that POST request, or anyone would be able to grant themselves a session.
V/r,
Ryan Lane
hi, I have read both of the link: http://blogs.sun.com/superpat/entry/opensso_single_sign_on_extension http://www.mediawiki.org/wiki/Extension:CASAuthentication
But unfortunately, I havnt found the code you said... It seems like these extensions are use hook to implentment user authencation? In my own myapi.php, how can a hook work? The code below is a breif overview of the myapi.php: <?php $data = $_POST['data']; // call a function to decode the data with a secret key. The result is in $get
$action = $get['action']; if($action == 'login'){ $uid = $get['uid']; // I must do something here to make mediawiki login. echo 1; } elseif($action == 'logout'){ //I must do something here to make mediawiki logout. echo 1; } else{ echo 0; } ?>
When user is logged in other application, the central auth system would access this myapi.php with data. Thx!!
------------------ Bear 2010-08-12
------------------------------------------------------------- From:Lane, Ryan Send Date:2010-08-12 22:48:05 To:Wikimedia developers CC: Subject:Re: [Wikitech-l] How to login a user without password?
X-Uidl: GmailId12a66c5ad00f6f23&&pop.gmail.com Delivered-To: jilingshu@gmail.com Received: by 10.150.43.19 with SMTP id q19cs108796ybq; Thu, 12 Aug 2010 07:48:05 -0700 (PDT) Received: by 10.213.104.211 with SMTP id q19mr353520ebo.45.1281624485062; Thu, 12 Aug 2010 07:48:05 -0700 (PDT) Return-Path: wikitech-l-bounces@lists.wikimedia.org Received: from lists.wikimedia.org (lists.wikimedia.org [91.198.174.5]) by mx.google.com with ESMTP id b4si3903961eei.56.2010.08.12.07.48.04; Thu, 12 Aug 2010 07:48:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of wikitech-l-bounces@lists.wikimedia.org designates 91.198.174.5 as permitted sender) client-ip=91.198.174.5; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of wikitech-l-bounces@lists.wikimedia.org designates 91.198.174.5 as permitted sender) smtp.mail=wikitech-l-bounces@lists.wikimedia.org Received: from localhost ([127.0.0.1]:33140 helo=lily.esams.wikimedia.org) by lily.knams.wikimedia.org with esmtp (Exim 4.69) (envelope-from wikitech-l-bounces@lists.wikimedia.org) id 1OjZ4X-0005WX-MA; Thu, 12 Aug 2010 14:47:57 +0000 Received: from navofw.navo.navy.mil ([128.160.199.100]:59490 helo=ocean2.ocean.navo.navy.mil) by lily.knams.wikimedia.org with esmtp (Exim 4.69) (envelope-from Ryan.Lane@ocean.navo.navy.mil) id 1OjZ4T-0005Vg-5P for wikitech-l@lists.wikimedia.org; Thu, 12 Aug 2010 14:47:53 +0000 Received: from Ocean2.ocean.navo.navy.mil ([2002:80a0:a553::80a0:a553]) by Ocean2.ocean.navo.navy.mil ([2002:80a0:a553::80a0:a553]) with mapi; Thu, 12 Aug 2010 09:47:52 -0500 From: "Lane, Ryan" Ryan.Lane@ocean.navo.navy.mil To: Wikimedia developers wikitech-l@lists.wikimedia.org Thread-Topic: [Wikitech-l] How to login a user without password? Thread-Index: AQHLObie6u3yp2mSrUKST4Z+Ta89aZLd5PgcgAABKCA= Date: Thu, 12 Aug 2010 14:47:51 +0000 Message-ID: 7FF208A2F1E6004D8F7BDC10A103C34A35C535@Ocean2.ocean.navo.navy.mil References: 201008120850417622420@Gmail.com, 201008121837568563457@Gmail.com 201008122237582572914@Gmail.com In-Reply-To: 201008122237582572914@Gmail.com Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: MIME-Version: 1.0 X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: Re: [Wikitech-l] How to login a user without password? X-BeenThere: wikitech-l@lists.wikimedia.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Wikimedia developers wikitech-l@lists.wikimedia.org List-Id: Wikimedia developers <wikitech-l.lists.wikimedia.org> List-Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikitech-l, mailto:wikitech-l-request@lists.wikimedia.org?subject=unsubscribe List-Archive: http://lists.wikimedia.org/pipermail/wikitech-l List-Post: mailto:wikitech-l@lists.wikimedia.org List-Help: mailto:wikitech-l-request@lists.wikimedia.org?subject=help List-Subscribe: https://lists.wikimedia.org/mailman/listinfo/wikitech-l, mailto:wikitech-l-request@lists.wikimedia.org?subject=subscribe Content-Type: multipart/mixed; boundary="===============8180891937508425267==" Mime-version: 1.0 Sender: wikitech-l-bounces@lists.wikimedia.org Errors-To: wikitech-l-bounces@lists.wikimedia.org
--===============8180891937508425267== Content-Language: en-US Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_007D_01CB3A03.69598B20"
------=_NextPart_000_007D_01CB3A03.69598B20 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
I am very very thankful you can supply me such rich information. I have read them carefully and found they are not comfort my situation. The Central Auth System I use is not developed by me. So I must do my project in its framework. When one user login in a application such like a forum, the forum would ask the central auth system if the username and password which supplied by user is match. When this is okay, it would call a function which provided by this central auth system. This function will access the myapi.php in each applications which configured with this central auth system and pass User_ID by POST. So I have to write a myapi.php for mediawiki to create a session with the uid it supplied. I am not good at English and I hope you can understand my meanning. thx!
Ok. I understand the requirement now. Note that the last extension I linked to has code that creates a session for a user. You can use it as an example. It also has an example of creating a user in the database, which you'll need to do as well.
Note that this sounds like a really insecure system if done improperly. I hope the central auth server has some way of authenticating that POST request, or anyone would be able to grant themselves a session.
V/r,
Ryan Lane
------=_NextPart_000_007D_01CB3A03.69598B20--
--===============8180891937508425267== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l --===============8180891937508425267==--
I have read both of the link: http://blogs.sun.com/superpat/entry/opensso_single_sign_on_extension http://www.mediawiki.org/wiki/Extension:CASAuthentication
But unfortunately, I havnt found the code you said... It seems like these extensions are use hook to implentment user authencation? In my own myapi.php, how can a hook work? The code below is a breif overview of the myapi.php:
<?php $data = $_POST['data']; // call a function to decode the data with a secret key. The result is in $get $action = $get['action']; if($action == 'login'){ $uid = $get['uid']; // I must do something here to make mediawiki login. echo 1; } elseif($action == 'logout'){ //I must do something here to make mediawiki logout. echo 1; } else{ echo 0; } ?>
When user is logged in other application, the central auth system would access this myapi.php with data.
I'd use the webserver to alias "/myapi.php" to "/index.php?title=Special:Userlogin"; then use the above methods. The central authentication system will still think it is hitting "/myapi.php", but will instead send its data to your extension. Since your extension is going through index.php, the hooks will be called, and the globals needed will exist.
Respectfully,
Ryan Lane
wikitech-l@lists.wikimedia.org