Basic Authentication for Internal Server Mode

[GravelSocks]

Provide basic web authentication for internal server mode to protect the map URL.

[DarthAndroid]

Just proxy the internal server behind apache and bind the internal server to 127.0.0.1, and then set up apache's authentication. It's much more flexible then the dynmap guys re-implementing every authentication scheme that people want.

[chrisyco]

I agree with DarthAndroid. Why reimplement something when another program would do it better?

As for the proxy, nginx is fast and easy to configure. It (and Apache) can do various things beyond what you want as well.

[GravelSocks]

I appreciate your comments, but I beg to differ. Many minecraft server implementations run solely in Windows and it is extremely reasonable to expect basic, minimal, self-contained security from a plugin such as Dynmap, since it opens up a web front-end to the minecraft server. Are you saying that users should add an external Apache server just for the sake of 1 plugin (complexity failure) or that all windows minecraft servers should run something like WAMP, completely duplicating the Windows server environment just to have authentication for a minecraft plugin that should provide its own basic security? Dynmap clearly implements everything else to provide http protocol support. Is Basic Auth. really that much of stretch beyond the rest of the http support that's already there?

[chrisyco]

No, they don't need something as large. Polipo is tiny (one executable) and it supports basic authentication.

If we do end up with authentication support, how will it work? Will it authenticate with minecraft.net just like the game? Or will the user set a password in a config file?

Maybe the best long-term solution is to expose more of the DynMap server, so other developers can add in authentication themselves, just like how they can add icons already?

[GravelSocks]

I would suggest taking the approach of adding minimal support for .htaccess and .htpasswd files that would go in the Dynmap plugin directory somewhere - maybe in an "Auth" folder. Hopefully not a difficult task. I guess it would also entail cookie support for authenticating clients...just another header. The other useful thing here would be to add plugin commands to generate the .htxxxx files, add supported users, and encode passwords along the lines of htpasswd.

[mikeprimm]

First pass of user authentication added to 0.36 development build

[GravelSocks]

Nice - thanks, Mike! I should be able to give it a try next week.

[mikeprimm]

Released in 0.36 and later