This question about Authentication or Authorisation: Answered

Not Acceptable (406) / Log in forbidden (403)

Hi,

today (21/06/'20) I wasn't able to login to one of the public webs on my foswiki site.

When I click the log in link, I get:

Forbidden
You don't have permission to access this resource.

Also other public webs (e.g. Main) are visible, but can't be logged in to.

One workaround to log in, is to go to a private web, where immediately the login form is shown, then log in, then go to the public web...

Another workaround is to delete the query string from the url:

FORBIDDEN: http://wiki.boossy.be/bin/login?foswiki_origin=GET%2cview%2c/bin/view/Boossy/WebHome

WORKAROUND 1 OK (private web): http://wiki.boossy.be/bin/view/Yssoob/WebHome

WORKAROUND 2 OK (no query string): http://wiki.boossy.be/bin/login

The link starts to show the logon screen if I shorten it upto: http://wiki.boossy.be/bin/login?foswiki_origin=GET%2cview%2c/bin Once I add another slash, I get the error!

In the meantime (23/06/'20), the message has changed, but the workaround still work:

Not Acceptable
An appropriate representation of the requested resource could not be found on this server.

According to the hosting company, a weekly update had been executed on the shared servers.

What can I check to solve this?

Kind regards

Stijn

SOLVED!

The error log of the hosting company: showed the following error
[:error] 
ModSecurity: Access denied with code 406 (phase 2). 
Match of "contains /wp-admin/admin-ajax.php?action=ime_test_im_path" against "REQUEST_URI" required. 
[file "remote server"] 
[line "-1"] 
[id "410009"] 
[msg "Malware.Expert - query_string: unwanted shell access"] 
[hostname "wiki.boossy.be"] 
[uri "/bin/login"] 
[unique_id "XvMGeb5Rwa83WZiDXjWScwAAAXk"], 
referer: http://wiki.boossy.be/bin/view/Boossy/WebHome

This is clearly meant to avoid access to WordPress admin pages, so it's a false positive in my case (my URL is e.g. http://wiki.boossy.be/app/login?foswiki_origin=GET%2cview%2c/app/view/Boossy/WebHome), but not wanting the hosting company to bother them with an exception only for me, I figured out a solution.

I tried three possibilities:

(0) disable mod_security for wiki.boossy.be

But this didn't work, I suppose the hosting company didn't allow me to do that.

(1) use short URLs

Inspiration First, I added this to the root .htaccess:
# RewriteEngine On (is already on, so that's why I comment it here
RewriteRule ^([A-Z].*) /home/web00929/domains/boossy.be/public_html/wiki/bin/view/$1 [L]
DirectoryIndex /bin/view

Then I adapted the Foswiki Configuration accordingly:
  • General settings, Web URLs and Paths:
  • Script Url Path: /bin
  • Script Url Path for View:
So I emptied the Script Url Path for View

This effectively solved the problem, but I had no skin (no css)...

One day later, the css was solved...

(2) symbolic link to bin

Before I tried the short URLs solution, I had another solution/workaround, i.e. a symlink to the app directory:

ln -s bin app

Then I had to change the redirect in the .htaccess of wiki.boossy.be as well:

# Redirect /index.html /bin/view/Boossy/WebHome
Redirect /index.html /app/view/Boossy/WebHome

And finally I adapted the Foswiki Configuration accordingly:
  • General settings, Web URLs and Paths:
  • Script Url Path: /app
  • Script Url Path for View: /app/view
Save your changes.

 

QuestionForm edit

Subject Authentication or Authorisation
Extension
Version Foswiki 2.1.6
Status Answered
Related Topics
Topic revision: r7 - 26 Oct 2022, StijnBousard
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy