diff --git a/conf/defaults.config b/conf/defaults.config index 882bfa455c..2ab5313e1b 100644 --- a/conf/defaults.config +++ b/conf/defaults.config @@ -744,9 +744,8 @@ $authen{user_module} = {"*" => "WeBWorK::Authen::Basic_TheLastOption"}; # A string or a hash is accepted, as above. $authen{proctor_module} = "WeBWorK::Authen::Proctor"; -# List of authentication modules that may be used to enter the admin course. -# This should always be an array reference with a subset of the modules named -# in $authen{user_module}. +# This is used instead of $authen{user_module} to determine which authentication +# module to use when logging into the admin course. $authen{admin_module} = ['WeBWorK::Authen::Basic_TheLastOption']; ################################################################################ diff --git a/conf/localOverrides.conf.dist b/conf/localOverrides.conf.dist index 6ea88b25cf..5c5e1796ff 100644 --- a/conf/localOverrides.conf.dist +++ b/conf/localOverrides.conf.dist @@ -485,19 +485,18 @@ $mail{feedbackRecipients} = [ #$authen{proctor_module} = "WeBWorK::Authen::Proctor"; # List of authentication modules that may be used to enter the admin course. -# This should be a non-empty sublist of whatever is in $authen{user_module}. +# This is used instead of $authen{user_module} when logging into the admin course. # Since the admin course provides overall power to add/delete courses, access # to this course should be protected by the best possible authentication you # have available to you. The current default is # WeBWorK::Authen::Basic_TheLastOption which is simple password based # authentication for a password locally stored in your WeBWorK server's # database. On one hand, this is necessary as the initial setting, as it is the -# only option available when a new server is being installed. However, since -# this option does not make use of multi-factor authentication or provide any -# capabilities to prevent dictionary attacks, etc. At the very least you should -# use a very strong password. If you have the option to use a more secure -# authentication approach to the admin course (one which you are confident -# cannot be spoofed) that is preferable. +# only option available when a new server is being installed, on the other hand, +# this option does not provide any capabilities to prevent dictionary attacks, etc. +# At the very least you should use a very strong password with two factor authentication. +# If you have the option to use a more secure authentication approach to the admin course +# (one which you are confident cannot be spoofed) that is preferable. # # Note that if you include authentication module config files further down, # those may override the setting of $authen{admin_module} here. diff --git a/lib/WeBWorK/Authen.pm b/lib/WeBWorK/Authen.pm index c5de75dd0e..002e5753c3 100644 --- a/lib/WeBWorK/Authen.pm +++ b/lib/WeBWorK/Authen.pm @@ -130,7 +130,10 @@ sub call_next_authen_method { my $c = $self->{c}; my $ce = $c->{ce}; - my $user_authen_module = WeBWorK::Authen::class($ce, "user_module"); + my $user_authen_module = + $ce->{courseName} eq $ce->{admin_course_id} + ? WeBWorK::Authen::class($ce, "admin_module") + : WeBWorK::Authen::class($ce, "user_module"); if (!defined $user_authen_module || $user_authen_module eq '') { $self->{error} = $c->maketext( "No authentication method found for your request. If this recurs, please speak with your instructor."); @@ -155,18 +158,6 @@ sub verify { debug('BEGIN VERIFY'); return $self->call_next_authen_method if !$self->request_has_data_for_this_verification_module; - my $authen_ref = ref($self); - if ($c->ce->{courseName} eq $c->ce->{admin_course_id} - && !(grep {/^$authen_ref$/} @{ $c->ce->{authen}{admin_module} })) - { - $self->write_log_entry("Cannot authenticate into admin course using $authen_ref."); - $c->stash( - authen_error => $c->maketext( - 'There was an error during the login process. Please speak to your instructor or system administrator.' - ) - ); - return $self->call_next_authen_method(); - } $self->{was_verified} = $self->do_verify;