10

I am trying to automatically log in users to an Xwiki install via basic auth. This is because help is stored in the wiki, but we want the retrieval process to be transparent to the user.

We push the user off to a url (via an <a> tag) like: http://username:password@xwiki.example.org/xwiki/bin/view/Main?basicauth=1

This works fine in every browser except Internet Explorer (see: http://support.microsoft.com/kb/834489. Unfortunately, 80% of our user base uses Internet Explorer and it is not an option to have them type in the credentials manually.

Currently, we have IIS 7.5 sitting in front of Xwiki and proxying all requests to the Tomcat instance on another server. This works fine. To solve my problem, I thought I could use a IIS rewrite rule to turn a url like this:

http://xwiki.example.org/xwiki/bin/view/Main?basicauth=1&_username=username&_password=password

into this:

http://username:password@xwiki.example.org/xwiki/bin/view/Main?basicauth=1&_username=username&_password=password

The idea being that IIS would substitute the _username/_password querystring parameters into the URL and pass it off to Tomcat, and Xwiki would ignore the extra parameters.

I have created a URL rewrite rule like:

<rule name="BasicAuthRewrite" enabled="true">
   <match url="https?://(.+)&amp;?_username=(.+)&amp;_password=(.+)" />
   <action type="Rewrite" url="http://{R:2}:{R:3}@xwiki.example.org/{R:1}" />
</rule>

When I go 'Test pattern' in IIS and supply my url, all the backreferences ({R:x}) match up to the data I want. However, when I visit the URL in my browser, the rewrite rule fails to invoke.

Is there any way I can achieve my desired behaviour?

Erin Drummond
  • 5,347
  • 6
  • 35
  • 41

4 Answers4

17

It is possible to do Basic authentication with URL rewrite on IIS. You should add the server variable HTTP_Authorization the value Basic followed by the username:password in base64. Remember to add the variable in the allowed variables

So for the user Aladdin with the password open sesame you the format would be Aladdin:open sesame and base64 encoded QWxhZGRpbjpvcGVuIHNlc2FtZQ==.

Which translates into Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

<rule name="SomeName" stopProcessing="true">
    <match url="url/to/match" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
    <action type="Rewrite" url="http://www.redirecturl.com/" appendQueryString="true" />
    <serverVariables>
        <set name="HTTP_Authorization" value="Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" />
    </serverVariables>
</rule>

IIS Screenshot Authentication

Jaco
  • 1,149
  • 1
  • 9
  • 14
  • 1
    What if it depends on the user that is connected? I certainly cannot set it on the config file, as it is calculated on execution time. – Isaac Llopis Sep 24 '13 at 10:21
  • I think this solution might not work for your problem. You could write something with rewrite/proxy-like functionalities and use that as 'work-around'. – Jaco Sep 24 '13 at 14:09
  • What do you mean with "rewrite/proxy-like"? Something like creating a controller that sends over requests and rewrites responses? – Isaac Llopis Oct 03 '13 at 09:41
  • Something like that, indeed. – Jaco Dec 06 '13 at 07:18
  • 1
    A very important thing to remember is where @Jaco says to add the variable into the allowed variables. This is done on the URL Rewrite screen under 'View Server Variables'. Without it, it won't pass the variable. – hacker Dec 21 '17 at 15:53
  • @Jaco: Great thanks! But as hacker said, you might want to add some more emphasis to add the variable to the allowed variables (I overread this at first) and maybe add a hint/screenshot *where* to add this. Maybe also add a word about the fact that the allowed server vars are not written to the Web.config file. – Jpsy Nov 09 '18 at 14:05
0

Authorization cannot be delegated to ARR. Therefore, if the contents are highly sensitive in nature and require authorization, it is recommended that you do not enable cache. ARR

But there is work around solution.

Solution

Shivaraj Hiremath
  • 1
  • 3
  • 2
    it would be far better should you be able to include the relevant portion of the solution in your post; should the link go offline your answer would remain useful. – Paolo May 29 '17 at 12:54
0

This should do:

<rule name="BasicAuthRewrite" stopProcessing="true">
    <match url="(.*)" />
    <conditions trackAllCaptures="true">
        <add input="{QUERY_STRING}" pattern="basicauth=1&amp;_username=(.+)&amp;_password=(.+)" />
    </conditions>
    <action type="Rewrite" url="http://{C:1}:{C:2}@xwiki.example.org/{R:1}" appendQueryString="false" />
</rule>
Tomek
  • 3,267
  • 2
  • 22
  • 23
  • Hmm, IIS returns a "HTTP Error 502.3 - Bad Gateway The server name or address could not be resolved". I think it might be interpreting the username/password as part of the domain name and trying to connect to it. I believe this because if I take out the username/password ("{C:1}:{C:2}@" section) it loads the login page as expected. Do you know if there is a way around this? – Erin Drummond Feb 29 '12 at 01:02
  • Sorry, I'm not familiar with restrictions of including authentication details as a part of domain address. – Tomek Feb 29 '12 at 11:18
-1

It appears this is not possible in IIS.

Erin Drummond
  • 5,347
  • 6
  • 35
  • 41