[TYPO3-english] FE authentication in TYPO3 4.x
Marcus Krause
marcus#exp2010 at t3sec.info
Mon Oct 4 10:13:16 CEST 2010
Hi!
Tonix (Antonio Nati) schrieb am 10/04/2010 09:37 AM Uhr:
> Il 03/10/2010 21:33, Steffen Gebert ha scritto:
>>> So this means if I use different authentications (services) in different
>>> trees of the same website, check is always done against all services?
>>> Speaking of standard installation, no tricks on code.
>> Services are checked until one makes a final decision (code 0 or 200).
>> Whether it returns 100 or 200, if it can't validate the user, depends
>> on the implementation.
>>
>>> And if I want to authenticate a tree against one specific service only,
>>> I have to modify typo3 code?
>> No, you can do this in localconf.php I think: The services register
>> theirselfes in their own ext_localconf.php (or ext_tables.php?) as
>> auth service. Unset this registration and set them only for the
>> required services dependent on $_SERVER variables.
>>
>> Kind regards
>> Steffen
>>
>
> Speaking about TYPO3 authentication, it is the third time, in a few
> days, I discover the option "more easy" is preferred to "more secure",
> and, indeed, it always leads to "less secure".
>
> I'd love to know more about "security priorities" in typo3, and
> architectural priorities.
They have all outlined in this thread. Authentication in TYPO3 is
implemented as chain of authenticators (so called services). The chain
is build on priority and quality of services. A service can authenticate
a user or if authentication fails stop authentication process or
delegate user authentication to other services in the chain.
By default, the base TYPO3 system has exactly one service enabled - one
that allows to authenticate FE or BE user against database user records
based on the current TYPO3 mode (backend/frontend) a user is requesting.
Included but disabled by default are two services - one which allows to
encrypt sent credentials (sysext:rsa) and one that allows to use salted
password hashes (sysext:saltedpasswords).
At any time, an administrator has full control over authenticator
settings (priority, quality) or the authenticator chain (aka. which
services are available for authentication).
Based on your recent postings you surely have some deeper knowledge on
application security. I hereby invite you to extensively discuss TYPO3
implementation with the TYPO3 security team:
security (at) typo3.org
You might want to read implementation details before:
http://typo3.org/documentation/document-library/core-documentation/doc_core_services/1.0.1/view/
TYPO3 is open source and any contribution is helpful and encouraged!
Regards,
Marcus.
--
Member TYPO3 Security Team
More information about the TYPO3-english
mailing list