All geek questions in one place

IIS rewrite rule for basic auth in querystring

I am trying to automatically register users in an Xwiki installation through basic auth. This is because help is stored on the wiki, but we want the search process to be transparent to the user.

We push the user to the URL (via the <a> tag), for example: http://username: password@xwiki.example.org /xwiki/bin/view/Main?basicauth=1

This works great in every browser except Internet Explorer (see http://support.microsoft.com/kb/834489 . Unfortunately, 80% of our user base uses Internet Explorer, and this does not mean that they manually entered credentials .

Currently, IIS 7.5 sits in front of Xwiki and proxies all requests for a Tomcat instance on another server. It works great. To solve my problem, I thought I could use the IIS rewrite rule to include a URL like this:

http://xwiki.example.org/xwiki/bin/view/Main?basicauth=1&_username=username&_password=password

in it:

http://username: password@xwiki.example.org /xwiki/bin/view/Main?basicauth=1&_username=username&_password=password

The idea was that IIS would replace the _username / _password querystring request parameters with the URL and pass it to Tomcat, and Xwiki would ignore the additional parameters.

I created a URL rewrite rule, for example:

 <rule name="BasicAuthRewrite" enabled="true"> <match url="https?://(.+)&amp;?_username=(.+)&amp;_password=(.+)" /> <action type="Rewrite" url="http://{R:2}:{R:3}@xwiki.example.org/{R:1}" /> </rule>

When I go the "test pattern" in IIS and put in my url, all the backlinks ({R: x)) correspond to the data I want. However, when I visit the URL in my browser, the rewrite rule cannot be invoked.

Is there a way to achieve the desired behavior?

+4
source share
4 answers

You can perform basic authentication by rewriting URLs in IIS. You must add the HTTP_Authorization server variable Basic, followed by the username: password in base64. Remember to add the variable to valid variables

So, for an Aladdin user with an open password, you will be selected with the Aladdin format: open sesame and base64 QWxhZGRpbjpvcGVuIHNlc2FtZQ ==.

What translates into Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ ==

 <rule name="SomeName" stopProcessing="true"> <match url="url/to/match" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false" /> <action type="Rewrite" url="http://www.redirecturl.com/" appendQueryString="true" /> <serverVariables> <set name="HTTP_Authorization" value="Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" /> </serverVariables> </rule>

IIS Screenshot Authentication

+6
source

This should do:

 <rule name="BasicAuthRewrite" stopProcessing="true"> <match url="(.*)" /> <conditions trackAllCaptures="true"> <add input="{QUERY_STRING}" pattern="basicauth=1&amp;_username=(.+)&amp;_password=(.+)" /> </conditions> <action type="Rewrite" url="http://{C:1}:{C:2}@xwiki.example.org/{R:1}" appendQueryString="false" /> </rule>
0
source

Authorization cannot be delegated by ARR. Therefore, if the content is very sensitive in nature and requires authorization, it is recommended that you do not enable the cache. ARR

But there is a solution to the problem.

Decision

0
source

It seems like this is not possible in IIS.

-one
source

Source: https://habr.com/ru/post/1398891/

More articles:


All Articles