« Web Site Security, Authentication | Main | Word add-in supporting posting to Dottext from Word »

Initial experiences with FlexWiki setup

I installed FlexWiki on my public web server under http://wiki.toneengel.com without a hitch.

The next step was to enable secure access to a client namespace.

I settled on Windows Integrated security because Forms isn’t really secure without SSL, Passport is too expensive, and Windows Integrated is secure and relatively easy to enable.

I’ve discovered two problems with Windows Integrated security for this application:

1.       There doesn’t seem to be any browser level support for changing passwords which means I’ll end up having to manually build some kind of password add/change user functionality which will again leave application code handling user passwords.

2.       A login dialog appears separately for each web site with Windows Integrated security enabled and access restricted. I was initially storing restricted image content on one site and referring to them from my wiki site. Created a separate folder in the wiki namespace root folder to store downloadable content so that it would inherit the same ACLs as the wiki.

Along the way to getting the wiki namespace setup and after creating a bunch of pages I discovered that I’d chosen a poor namespace naming convention which led to moving the pages from one namespace root folder to a new one. This probably should have been painless except along the way to settling on ACLs I’d left things such that all the content was inaccessible from the administrator account used to manage the web server. After taking ownership of the content and moving it and fixing a few links, everything worked great except for one thing.

I’m now noticing that when I click Edit to begin modifying an existing page FlexWiki very often seems to get confused about the presence of an existing page and displays the new blank page template and the new page creation notice. This is particularly likely if the browser’s refresh or back commands were used prior to clicking Edit. Following wiki links to the page always seems to make Edit work correctly. Very strange.

2004-01-22 09:01 Thu, The beginnings of understanding.

They key is that some operations trigger a Windows Authentication login and others don’t.

Actions that trigger login:

Requesting a ACL restricted page. (with or without the IIS Anonymous Access enabled)

Requesting a page from a site or subfolder that has Anonymous Access disabled.

Things that don’t trigger login:

                File.OpenRead, File.OpenWrite, File.Exists, new DirectoryInfo of an ACL restricted file or location.

Posted by Tone Engel on January 21, 2004 10:39 AM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)