Changes between Version 18 and Version 19 of TracAuthenticationIntroduction

Timestamp:

Jun 1, 2020, 10:27:49 PM (4 years ago)

Author:

Ryan J Ollos

Comment:

Fix links, review and format.

TracAuthenticationIntroduction

@@ -1 +1 @@
 = Introduction to Authentication for Trac
 
-||This is a work in progress document - and is written by someone who has been working this stuff out, rather than an expert.  Please feel free to add clarifications, corrections and additions||
+{{{#!box note
+This is a work in progress document, written by someone who has been working this stuff out, rather than an expert.  Please feel free to add clarifications, corrections, and additions.
+}}}
 
-When deploying on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic and Digest. This is not the case for the development server [wiki:TracStandalone tracd], which is not covered here. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication.
+When deploying on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic and Digest. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication.
 
 There are 2 basic approaches to Trac authentication:-
@@ -9 +11 @@
  2. Restrict access such that the Trac installation is visible to someone without authentication, but you can login with Trac.
 
-The following examples are based on an Apache httpd server. Further information on authentication on Apache can be found at https://httpd.apache.org/docs/2.4/howto/auth.html
+The following examples are based on an Apache httpd server. Further information on authentication on Apache can be found in the [https://httpd.apache.org/docs/2.4/howto/auth.html Apache Auth documentation].
 
-They use a password file at {{{/var/www/db/passwd}}}. You can manipulate this file with the {{{htpasswd}}} program or with `user_manage` as described in https://httpd.apache.org/docs/current/programs/htpasswd.html.
+They use a password file at `/var/www/db/passwd`. You can manipulate this file with the [https://httpd.apache.org/docs/current/programs/htpasswd.html htpasswd].
 
 == Require Authentication To Access The Entire Trac Installation
@@ -19 +21 @@
 It has the advantage of being simpler to implement and manage. It also allows you to know that your data is as secure as your web server authentication scheme and that there is a degree of trust in the user information entered on tickets etc.
 
-The disadvantage of this method is that you cannot have a finer control over user permissions, for example: user `abc` can view, but not edit location `/path/to/location`.
+The disadvantage of this method is that anonymous access, typically with view-only permissions, is not allowed.
 
-For a Trac installation under {{{/var/www/trac}}}, visible as URL {{{http://www.example.com/trac/}}} you can use an authentication stanza for Apache similar to:
-{{{
+For a Trac installation under `/var/www/trac`, visible as URL `http://www.example.com/trac/` you can use an authentication stanza for Apache similar to:
+{{{#!apache
 <Location /trac>
   AuthType Basic
@@ -28 +30 @@
   AuthUserFile /var/www/db/passwd
   Require valid-user
-  ... extra directives to invoke trac
-  ... - ie ScriptAlias or mod_python stuff
+  # ... extra directives to invoke trac
+  # ... - ie ScriptAlias or mod_python stuff
 </Location>
 }}}
@@ -47 +49 @@
 === Basic Authentication
 
-To do this you need to control access to the {{{login}}} location under each Trac project, so for the example above you would change the configuration to:
-{{{
+To do this you need to control access to the `login` location under each Trac project, so for the example above you would change the configuration to:
+{{{#!apache
 <Location /trac/login>
   AuthType Basic
@@ -56 +58 @@
 </Location>
 <Location /trac>
-  ... extra directives to invoke trac
-  ... - ie ScriptAlias or mod_python stuff
+  # ... extra directives to invoke trac
+  # ... - ie ScriptAlias or mod_python stuff
 </Location>
 }}}
@@ -67 +69 @@
 === Digest Authentication
 
-To setup digest authentication, follow the instructions to create the digest password file. https://httpd.apache.org/docs/2.2/programs/htdigest.html. For the '''realm''' set in htdigest you must put a matching !AuthName. 
+To setup digest authentication, follow [https://httpd.apache.org/docs/2.2/programs/htdigest.html the instructions] to create the digest password file. For the '''realm''' set in htdigest you must put a matching !AuthName. 
 
 For example:
- `htdigest -c /path/to/.htdigest TracRealmName UserName`
+{{{#!sh
+$ htdigest -c /path/to/.htdigest TracRealmName UserName
+}}}
 
 Sample configuration:
 
-{{{
- ...WSGI config if using WSGI
+{{{#!apache
+ # ... WSGI config if using WSGI
  <Location /trac>
-   ...mod_python config if using mod_python
+   # ...mod_python config if using mod_python
    AuthType Digest
    AuthName "TracRealmName"
@@ -89 +93 @@
 If you are using Digest with WSGI you must enable authentication passthrough with: 
 
-{{{
+{{{#!apache
   WSGIPassAuthorization On
   WSGIScriptAlias /trac /path/to/trac/config.wsgi 
@@ -102 +106 @@
 To do so, choose one of the existing users on your `passwd` file, say the user `anadmin`, and use:
 
-{{{
- trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN
+{{{#!sh
+$ trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN
 }}}