Skip to content

TWiki, apache authentication and denying view access to anyone not authenticated

I just spent a half an hour chasing my tail trying to get TWiki to deny view privileges to anonymous users (who are assigned the TWikiGuest userid. I have a client that is going to be using TWiki as a document repository/portal, and wanted to make sure that we weren’t depending on ‘security through obscurity’.

We’re using Apache Authentication and it worked just fine for editing–you had to login before you could edit anything. We only want to limit access to certain Webs (it would be nice if people who knew about it could self register, which requires access to the TWiki web). I tried to edit the WebPreferences for the web to be protected and set DENYWEBVIEW = MainWeb.TWikiGuest This denied view of the Dev web whether or not I was logged in.

Using the %WIKIUSERNAME% variable and this post on a similar problem led me to conclude that the REMOTE_USER environment variable wasn’t being carried across invocations. On every view, TWiki thought I was the TWikiGuest, until I explicitly logged in. Then, as long as I was editing, it was fine, but viewing was still denied.

That led me to this FAQ: Why is the environment variable REMOTE_USER var not set? which states that the REMOTE_USER variable isn’t sent on every request, but only for protected resources.

Protecting my view.cgi script did the trick. I did so by adding this line to my apache config (in the twiki/bin directory entry) and restarting it:

<FilesMatch "(view|attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
require valid-user

Now, the only problem is that self registration doesn’t work. But that’s minor, as I can create a guest user and have folks login to register with that user (and deny it access to the protected webs too, to force everyone to register).

[tags]twiki,user authentication[/tags]

Eclipse Remote File Synchronization Plugins

I was talking to a friend about Eclipse and he was saying that one of the things keeping him from using Eclipse was the lack of a ssh synchronization plugin (so that he could edit locally and deploy to a remote server, a typical web application setup). I typically use CVS for that purpose, but sometimes it’s overkill.

I took it upon myself to find one, because I think it’d be useful too. I found a few (all open source):

Sftp Plugin: Not updated since 2003, didn’t work in Eclipse 3.2.1. CPL Licensed. Seemed like it had the nicest interface.

Deployer: Works, but only deployed one file at a time (that I could see). Not released since 2005. LGPL.

DeployerFTP: Looked to be FTP only (according to the documentation), released in 2006.

And finally, one that worked for me: Esftp. Last released in 2006, but works with Eclipse 3.2.1. LGPL 2.1. Weird install procedure (but if you read the README.txt in the distribution, it makes sense) so make sure to read the installation instructions.

Some of these were listed in the Eclipse Plugins directory, but others weren’t. Caveat emptor.

[tags]eclipse plugins[/tags]

Using Excel to ease Java i18n processes

Ah, the perils of reading Bloglines before going to sleep. (I’ll just catch up on one more blog…)
I gave a BJUG talk 18 months ago about large websites and internationalization (i18n). (Links and powerpoint here.) The talk was based on my experiences of a smooth operation, created and executed by Zia Consulting.

A crucial part of this i18n process was creating and moving around Excel files containing keys and translations. In addition, there was an Access database and a VB script that converted the keys and translations to properties files. The reason to do this is that the typical Java developer wants to use ResourceBundles for i18n, which typically involves properties files. And the typical translator is much more comfortable with Excel. So, Zia built a process which bridged that gap.

It looks like someone else solved the same problem with translators and Excel files, and open sourced the solution.

Via Rickard.

Updated 2/16, fixed typo and a small formatting change.


Thunderbird tip of the day: Using the pipe operator in the search box.

If you’re searching in Thunderbird, use the pipe (|) operator to do an ‘or’ search. So, if you want to find mail from both Brian and Grady, search for ‘brian|grady’ (if you have the default ‘search subject and/or sender’ search criteria). I looked around the Thunderbird Help, which has a helpful list of shortcuts and tips and tricks, and didn’t see this tip mentioned. I tried other special characters (& and *), but neither worked.

This was with Thunderbird

February Boulder Denver New Tech Meetup Notes

I went to the Boulder Denver New Tech meetup tonight and, boy was it a good time. I’ve been to a few Boulder Java Users Groups, and some more academic talks at CU, but this was different than both. At the BJUGs, it’s typically a bunch of geeks and a very technical topic. At the CU colloquia, it’s an academic crowd, with a lot of focus on academic questions, and an even more technical topic.This meetup, on the other hand, had, I felt, a nice mixture of technical folks and business folks. This was the sixth one held in Boulder–for more information check out their website. I believe the format is 5 minutes of presentation followed by questions eliminates a lot of fluff. The presenters tonight were:

* David Cohen:

David talked about his new organization, which recently was in the local press. will select 10 teams with technology ideas and fund them for a summer (to the tune of $15k). During that time, they’ll be mentored by a wide variety of successful local entrepreneurs and, at the end, have a chance to pitch their idea to angel investors. The strength of the team will be a large factor in determining the winners, and applications are due on March 31 (they’ve already had over 100 teams apply).

* Russ Bryant:

Russ talked about the website his company is building, which focuses on the urban lifestyle demographic (he mentioned blacks and latinos in particular). It’s particularly aimed a segment of the population that has bad or no credit, and a large part of the business plan depends on selling prepaid debit cards to that population. Such a debit card will allow users to participate in internet purchasing, as well as gain the other benefits of debit cards (users can charge up the cards at stores around the country). will also be a drop ship ecommerce site, and has a long list of partnerships.

* Elliot Turner:

Elliot focused on mashups for the ordinary user. His application, Alchemy Point, is a Firefox toolbar that aims to provide some of the functionality of GreaseMonkey, but for normal users. He mentioned that mashups are a great way to create a user centric web, by allowing users to grab only what is interesting to them (as opposed to most websites, which have a distinctly larger audience). The toolbar comes with a number of preconfigured mashups (‘make this text bold’, ‘put a map next to this address’) that have been written by his company. Users also have the capability, with a simple XML syntax (with a graphical UI yet to come), to create their own, and to share them.

* Dennis Yu:

Dennis talked about search engine marketing, which is the business of building campaigns on the major search engine sites. He said a campaign consists of keyword + ad copy + bid for the keyword. He showed an example of a campaign his company built for a New Year’s Eve ticket seller and said for every 9 cents the company spent on SEM, they got one dollar in sales. He also mentioned that there are a ton of MFA (made for AdSense) sites out there, and as an advertiser, you need to be aware of sites sending you worthless referrals and block them as soon as possible, as the click fraud happening is tremendous. Oh yeah, they’re also looking to help nonprofits use SEM.

* Fernando Cardenas:

Fernando discussed the application his company is building to combat software failure. First, the cost of software failure is $60 billion a year, and 25% of all software projects are just plain abandoned. The reason for that is the disconnect between the developers and business folks. His solution is to put better tools in the hands of business folks, and have the tools create a set of business rules and a UI that the business people are happy with. Then, with the app 60-80% done, the business users can hand it off to the developers for fine tuning. I’m a bit skeptical, because I think there’s no silver bullet and the hard parts of any development conversation are the grinding out of requirements. Plus, I’ve seen one too many scary Access applications (and built a scary Paradox application myself)–not sure how the maintainability of the code generated by the tool will be. But I hope that his application succeeds as there’s a ton of places where simple applications could save a lot of scutwork. Thingamy is in the same space, I think.

All in all it was quite a nice night, and well worth attending. A lot of exciting energy in the air–it reminded me a bit of 1999 (I even saw a fellow with a Netscape fleece on!).