On Mon, Nov 10, 2008 at 4:20 AM, eggenheimer <[EMAIL PROTECTED]> wrote:
> Yes I guess sessions would probably be the best way to distinguish between > different computers in this case. I don't know much java or the way xwiki is > structured - can anyone point me in the right direction? And now, for something completely different... For reasons of security/configuration/etc, I typically "front" Java-based web-apps with apache, and then redirect to Java via mod_proxy_ajp w/ "ProxyPass /xwiki/ ajp://127.0.0.1:8009/xwiki/" Given such a configuration, I would consider looking into an external apache authentication and access control module that can provide you with the necessary limitations. One possibility is to use an external login mechanism in apache which generates a random number ID via cookie; for any subsequent accesses to the "protected access" URL, that ID/cookie which must be present before redirecting to xwiki via mod_proxy_ajp. This per-user cookie ID would be cleared if the given user logs out (via associated external login mechanism), and no other logins would be allowed until the 'latest-login-cookie' was cleared. Only incoming requests presenting the specific cookie/ID associated with the user will be passed on to mod_proxy_ajp and in-turn, java and Xwiki. http://www.frogdot.org/mod_auth_mda/ is a good module to accomplish such tasks: -- <http://www.frogdot.org/logintools/pab/scheme1.gif> This approach wouldn't care about IP address per-se. The user could start the transaction on a laptop plugged in to one network, disconnect, and continue on a different one. On the other hand, if the user walked over to a different computer, and didn't logout his last session, he couldn't log back in w/o either going back to his old computer and logging out, or requesting an administrator override. Niels http://nielsmayer.com _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
