Package
The package is also a Factory for login managers and also the base class
for all login managers. | ||||||||
Changed: | ||||||||
< < | On it's own, an object of this class is used when you specify 'none' in | |||||||
> > | On its own, an object of this class is used when you specify 'none' in | |||||||
the security setup section of
configure. When it is used,
logins are not supported. If you want to authenticate users then you should
consider TemplateLogin or ApacheLogin, which are subclasses of this class.
If you are building a new login manager, then you should write a new subclass
of this class, implementing the methods marked as VIRTUAL. There are already
examples in the lib/TWiki/LoginManager directory.
The class has extensive tracing, which is enabled by
$TWiki::cfg{Trace}{LoginManager.pm}. The tracing is done in such a way as to
let the perl optimiser optimise out the trace function as a no-op if tracing
is disabled.
Here's an overview of how it works:
Early in TWiki::new, the login manager is created. The creation of the login
manager does two things:
| ||||||||
Deleted: | ||||||||
< < |
ObjectData
The TWiki object this login manager is attached to. | |||||||
On this page:
StaticMethod makeLoginManager ($twiki) -> $TWiki::LoginManagerFactory method, used to generate a new TWiki::LoginManager object for the given session.ClassMethod new ($session,$impl)Construct the user management objectObjectMethod finish ()Break circular references.ClassMethod _real_trace ($session,$impl)Construct the user management objectClassMethod _IP2SID ($session,$impl)read/write IP to SID map, return SIDObjectMethod loadSession ($defaultUser) -> $loginGet the client session data, using the cookie and/or the request URL. Set up appropriate session variables in the twiki object and return the login name. $defaultUser is a username to use if one is not available from other sources. The username passed when you create a TWiki instance is passed in here.ObjectMethod checkAccess ()Check if the script being run in this session is authorised for execution. If not, throw an access control exception.ObjectMethod complete ()Complete processing after the client's HTTP request has been responded to. Flush the user's session (if any) to disk.StaticMethod expireDeadSessions ()Delete sessions and passthrough files that are sitting around but are really expired. This assumes that the sessions are stored as files. This is a static method, but requires TWiki::cfg. It is designed to be run from a session or from a cron job.ObjectMethod userLoggedIn ($login,$wikiname)Called when the user is known. It's invoked from TWiki::UI::Register::finish for instance,
ObjectMethod _myScriptURLRE ($thisl)ObjectMethod _rewriteURL ($thisl)ObjectMethod _rewriteFORM ($thisl)ObjectMethod endRenderingHandler ()This handler is called by getRenderedVersion just before the plugins postRenderingHandler. So it is passed all HTML text just before it is printed. DEPRECATED Use postRenderingHandler instead.ObjectMethod _pushCookie ($thisl)ObjectMethod addCookie ($c)Add a cookie to the list of cookies for this session.
ObjectMethod modifyHeader (\%header)Modify a HTTP header
ObjectMethod redirectCgiQuery ($url)Generate an HTTP redirect on STDOUT, if you can. Return 1 if you did.
ObjectMethod getSessionValues () -> \%valuesGet a name->value hash of all the defined session variablesObjectMethod getSessionValue ($name) -> $valueGet the value of a session variable.ObjectMethod setSessionValue ($name,$value)Set the value of a session variable. We do not allow setting of AUTHUSER and SESSION_REQUEST_NUMBER.ObjectMethod clearSessionValue ($name) -> $booleanClear the value of a session variable. We do not allow setting of AUTHUSER.ObjectMethod forceAuthentication () -> booleanVIRTUAL METHOD implemented by subclasses Triggered by an access control violation, this method tests to see if the current session is authenticated or not. If not, it does whatever is needed so that the user can log in, and returns 1. If the user has an existing authenticated session, the function simply drops though and returns 0.ObjectMethod loginUrl (...) -> $urlVIRTUAL METHOD implemented by subclasses Return a full URL suitable for logging in.
ObjectMethod getUser ()VIRTUAL METHOD implemented by subclasses If there is some other means of getting a username - for example, Apache has remote_user() - then return it. Otherwise, return undef and the username stored in the session will be used.ObjectMethod _LOGIN ($thisl)ObjectMethod _LOGOUTURL ($thisl)ObjectMethod _LOGOUT ($thisl)ObjectMethod _AUTHENTICATED ($thisl)ObjectMethod _CANLOGIN ($thisl)ObjectMethod _SESSION_VARIABLE ($thisl)ObjectMethod _LOGINURL ($thisl)ObjectMethod _dispLogon ($thisl)PrivateMethod _skinSelect ()Internal use only TODO: what does it do? sub createCryptToken ( $session )-> $token Takes the input as session and returns the MD5 hash string. This subroutine is responsible for updating the token database The tokens solve the CSRF issue sub cleanCryptTokens($session, $token) This subroutine takes care of cleaning used tokens Usually called from token verification subroutines. sub addCryptTokeninForm ( )-> returns the form with "crypttoken" html input hidden field If TWiki Application developer has added "crypttoken" then the current subroutine returns the form without performing any parsing. If the form with method - POST do not have any "crypttoken", this subroutine adds the token. |
Package
The package is also a Factory for login managers and also the base class
for all login managers.
On it's own, an object of this class is used when you specify 'none' in
the security setup section of
configure. When it is used,
logins are not supported. If you want to authenticate users then you should
consider TemplateLogin or ApacheLogin, which are subclasses of this class.
If you are building a new login manager, then you should write a new subclass
of this class, implementing the methods marked as VIRTUAL. There are already
examples in the | ||||||||
Changed: | ||||||||
< < | We do not allow setting of AUTHUSER. | |||||||
> > | We do not allow setting of AUTHUSER and SESSION_REQUEST_NUMBER. | |||||||
ObjectMethod clearSessionValue ($name) -> $booleanClear the value of a session variable. We do not allow setting of AUTHUSER.ObjectMethod forceAuthentication () -> booleanVIRTUAL METHOD implemented by subclasses Triggered by an access control violation, this method tests to see if the current session is authenticated or not. If not, it does whatever is needed so that the user can log in, and returns 1. If the user has an existing authenticated session, the function simply drops though and returns 0.ObjectMethod loginUrl (...) -> $urlVIRTUAL METHOD implemented by subclasses Return a full URL suitable for logging in.
ObjectMethod getUser ()VIRTUAL METHOD implemented by subclasses If there is some other means of getting a username - for example, Apache has remote_user() - then return it. Otherwise, return undef and the username stored in the session will be used.ObjectMethod _LOGIN ($thisl)ObjectMethod _LOGOUTURL ($thisl)ObjectMethod _LOGOUT ($thisl)ObjectMethod _AUTHENTICATED ($thisl)ObjectMethod _CANLOGIN ($thisl)ObjectMethod _SESSION_VARIABLE ($thisl)ObjectMethod _LOGINURL ($thisl)ObjectMethod _dispLogon ($thisl)PrivateMethod _skinSelect ()Internal use only TODO: what does it do? sub createCryptToken ( $session )-> $token Takes the input as session and returns the MD5 hash string. This subroutine is responsible for updating the token database The tokens solve the CSRF issue sub cleanCryptTokens($session, $token) This subroutine takes care of cleaning used tokens Usually called from token verification subroutines. sub addCryptTokeninForm ( )-> returns the form with "crypttoken" html input hidden field If TWiki Application developer has added "crypttoken" then the current subroutine returns the form without performing any parsing. If the form with method - POST do not have any "crypttoken", this subroutine adds the token. |
Package
The package is also a Factory for login managers and also the base class
for all login managers.
On it's own, an object of this class is used when you specify 'none' in
the security setup section of
configure. When it is used,
logins are not supported. If you want to authenticate users then you should
consider TemplateLogin or ApacheLogin, which are subclasses of this class.
If you are building a new login manager, then you should write a new subclass
of this class, implementing the methods marked as VIRTUAL. There are already
examples in the | ||||||||
Changed: | ||||||||
< < | Early in TWiki::new, the login manager is created. The creation of the login manager does two things:
| |||||||
> > | Early in TWiki::new, the login manager is created. The creation of the login
manager does two things:
| |||||||
Added: | ||||||||
> > | session yet.
| |||||||
Slightly later in TWiki::new, loginManager->loadSession is called. | ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
Added: | ||||||||
> > |
| |||||||
Changed: | ||||||||
< < | Later again in TWiki::new, plugins are given a chance to override the username found from the loginManager. | |||||||
> > | Later again in TWiki::new, plugins are given a chance to override the username | |||||||
Added: | ||||||||
> > | found from the loginManager. | |||||||
Changed: | ||||||||
< < | The last step in TWiki::new is to find the user, using whatever user mapping manager is in place. | |||||||
> > | The last step in TWiki::new is to find the user, using whatever user mapping | |||||||
Added: | ||||||||
> > | manager is in place. | |||||||
ObjectData
The TWiki object this login manager is attached to.
| ||||||||
Changed: | ||||||||
< < | read/write IP to SID map, return SID | |||||||
> > | read/write IP to SID map, return SID | |||||||
ObjectMethod loadSession ($defaultUser) -> $loginGet the client session data, using the cookie and/or the request URL. Set up appropriate session variables in the twiki object and return the login name. $defaultUser is a username to use if one is not available from other sources. The username passed when you create a TWiki instance is passed in here.ObjectMethod checkAccess ()Check if the script being run in this session is authorised for execution. If not, throw an access control exception.ObjectMethod complete ()Complete processing after the client's HTTP request has been responded to. Flush the user's session (if any) to disk.StaticMethod expireDeadSessions ()Delete sessions and passthrough files that are sitting around but are really expired. This assumes that the sessions are stored as files. This is a static method, but requires TWiki::cfg. It is designed to be run from a session or from a cron job.ObjectMethod userLoggedIn ($login,$wikiname)Called when the user is known. It's invoked from TWiki::UI::Register::finish for instance,
ObjectMethod _myScriptURLRE ($thisl) | ||||||||
Deleted: | ||||||||
< < | ||||||||
ObjectMethod _rewriteURL ($thisl) | ||||||||
Deleted: | ||||||||
< < | ||||||||
ObjectMethod _rewriteFORM ($thisl)ObjectMethod endRenderingHandler ()This handler is called by getRenderedVersion just before the plugins postRenderingHandler. So it is passed all HTML text just before it is printed. DEPRECATED Use postRenderingHandler instead.ObjectMethod _pushCookie ($thisl) | ||||||||
Deleted: | ||||||||
< < | ||||||||
ObjectMethod addCookie ($c)Add a cookie to the list of cookies for this session.
ObjectMethod modifyHeader (\%header)Modify a HTTP header
ObjectMethod redirectCgiQuery ($url)Generate an HTTP redirect on STDOUT, if you can. Return 1 if you did.
ObjectMethod getSessionValues () -> \%valuesGet a name->value hash of all the defined session variablesObjectMethod getSessionValue ($name) -> $valueGet the value of a session variable.ObjectMethod setSessionValue ($name,$value)Set the value of a session variable. We do not allow setting of AUTHUSER.ObjectMethod clearSessionValue ($name) -> $booleanClear the value of a session variable. We do not allow setting of AUTHUSER.ObjectMethod forceAuthentication () -> booleanVIRTUAL METHOD implemented by subclasses Triggered by an access control violation, this method tests to see if the current session is authenticated or not. If not, it does whatever is needed so that the user can log in, and returns 1. If the user has an existing authenticated session, the function simply drops though and returns 0.ObjectMethod loginUrl (...) -> $urlVIRTUAL METHOD implemented by subclasses Return a full URL suitable for logging in.
ObjectMethod getUser ()VIRTUAL METHOD implemented by subclasses If there is some other means of getting a username - for example, Apache has remote_user() - then return it. Otherwise, return undef and the username stored in the session will be used.ObjectMethod _LOGIN ($thisl)ObjectMethod _LOGOUTURL ($thisl) | ||||||||
Deleted: | ||||||||
< < | ||||||||
ObjectMethod _LOGOUT ($thisl) | ||||||||
Deleted: | ||||||||
< < | ||||||||
ObjectMethod _AUTHENTICATED ($thisl) | ||||||||
Deleted: | ||||||||
< < | ||||||||
ObjectMethod _CANLOGIN ($thisl)ObjectMethod _SESSION_VARIABLE ($thisl)ObjectMethod _LOGINURL ($thisl) | ||||||||
Deleted: | ||||||||
< < | ||||||||
ObjectMethod _dispLogon ($thisl)PrivateMethod _skinSelect ()Internal use only TODO: what does it do? sub createCryptToken ( $session )-> $token Takes the input as session and returns the MD5 hash string. This subroutine is responsible for updating the token database The tokens solve the CSRF issue | ||||||||
Deleted: | ||||||||
< < | ||||||||
sub cleanCryptTokens($session, $token) This subroutine takes care of cleaning used tokens Usually called from token verification subroutines. | ||||||||
Deleted: | ||||||||
< < | ||||||||
sub addCryptTokeninForm ( )-> returns the form with "crypttoken" html input hidden field If TWiki Application developer has added "crypttoken" then the current subroutine returns the form without performing any parsing. If the form with method - POST do not have any "crypttoken", this subroutine adds the token. |
Package
The package is also a Factory for login managers and also the base class
for all login managers.
On it's own, an object of this class is used when you specify 'none' in
the security setup section of
configure. When it is used,
logins are not supported. If you want to authenticate users then you should
consider TemplateLogin or ApacheLogin, which are subclasses of this class.
If you are building a new login manager, then you should write a new subclass
of this class, implementing the methods marked as VIRTUAL. There are already
examples in the | ||||||||
Added: | ||||||||
> > | sub createCryptToken ( $session )-> $token Takes the input as session and returns the MD5 hash string. This subroutine is responsible for updating the token database The tokens solve the CSRF issue sub cleanCryptTokens($session, $token) This subroutine takes care of cleaning used tokens Usually called from token verification subroutines. sub addCryptTokeninForm ( )-> returns the form with "crypttoken" html input hidden field If TWiki Application developer has added "crypttoken" then the current subroutine returns the form without performing any parsing. If the form with method - POST do not have any "crypttoken", this subroutine adds the token. |
Package
The package is also a Factory for login managers and also the base class
for all login managers.
On it's own, an object of this class is used when you specify 'none' in
the security setup section of
configure. When it is used,
logins are not supported. If you want to authenticate users then you should
consider TemplateLogin or ApacheLogin, which are subclasses of this class.
If you are building a new login manager, then you should write a new subclass
of this class, implementing the methods marked as VIRTUAL. There are already
examples in the |