5

I tried out the "Simple Acl controlled Application 1&2" tutorial located at http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html .

After doing this, I tried to activate BasicAuth instead of FormAuth.

I reimplemented the login() function im my UsersController as follows:

public function login() {
if ($this->Auth->login()) {
        return $this->redirect($this->Auth->redirect());
    } else {
        $this->Session->setFlash('Not able to login');
    }
}

and changed the $components variable in my AppController to the following:

public $components = array(
    'Acl',
    'Auth' => array(
        'authorize' => array(
            'Actions' => array('actionPath' => 'controllers')
        ),
        'authenticate' => array('Basic')
    ),
    'DebugKit.Toolbar',
    'Session'
);

The BasicAuth "popup" appears as expected, but when I'm trying to login, it reappers in an endless loop. I did not change anything after doing the tutorial except for including DebugKit.

What am I missing? I hope someone can help me, as I'd like to go with CakePHP coding my next Project!

Update

AppController

public function beforeFilter() {
    //Configure AuthComponent
    $this->Auth->allow('display');
    $this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
    $this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'login');
    $this->Auth->loginRedirect = array('controller' => 'posts', 'action' => 'add');
}

UsersController

public function beforeFilter() {
    parent::beforeFilter();
}

I'm trying to access e.g. /users/ which works like a charm using the FormAuth described in the tutorial, so there can't be a permission problem. Logindata is pretty simple for testing (admin:admin) so there should be no problem either.

Update 2

In my Apache Log i get the following, so it says I'm not authorized:

IP - - [16/Apr/2013:18:08:37 +0200] "GET /users/login HTTP/1.0" 401 5179 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:23.0) Gecko/20130414 Firefox/23.0"

Update 3

For some reason it seems, that User and Password are either not sent or not saved in PHP. If I rewrite /lif/Cake/Controller/Auth/BasicAuthenticate to the following, it works!

public function authenticate(CakeRequest $request, CakeResponse $response) {
    $_SERVER['PHP_AUTH_USER'] = $_SERVER['PHP_AUTH_PW'] = "admin";
    $result = $this->getUser($request);

    if (empty($result)) {
        $response->header($this->loginHeaders());
        $response->statusCode(401);
        $response->send();
        return false;
    }
    return $result;
}

Update 4

Don't know if thats helpful, but the Server is running Plesk 11, latest update, no special modifications.

Update 5

Okay, that answer of "thaJeztah" was useful, but now I'm getting more problems which can be subdivided.

  1. Changed mode from fcgid to apache module

    1.1. Results in working login, but logout does not work! After the redirect, the session seems to be cleared, but i can still access every restricted page until i clear my browsers "Active Logins" as it is called in Firefox.

var_dump($this->Session->read('Auth.User'));

NULL

When I access /users/login I am automatically logged in and redirected without having to enter login credentials.

print "<pre>";
print_r($this->Session->read('Auth.User'));
print "</pre>";

Array
(
    [id] => 1
    [username] => admin
    [group_id] => 1
    [created] => 2013-04-12 12:54:26
    [modified] => 2013-04-16 14:27:24
    [is_active] => 1
    [Group] => Array
        (
            [id] => 1
            [name] => Admin
            [created] => 2013-04-12 12:46:42
            [modified] => 2013-04-12 12:46:42
        )

)

  1. Using the .htaccess based solution works as well, it even looks like as if thats the only change needed (I removed the list() code as I did never get into it and it worked as well).

    2.1. Same problem as above, no real logout possible.

Update 6

Probably the last or one of my last updates. :-) Right now I'm trying to do a "fake logout" by logging the user in as a guest user I created who has only access to /users/login and /pages/home: http://guest:guest@my.domain/users/login

Accessing /users/logout might work too, as I'm using this piece of code there:

public function logout() {
    $user = $this->User->find('first', array('conditions' => array('username' => 'guest')));
    $this->Auth->login($user['User']['id']);
}

I simly don't believe, this will be consistent, since I believe the Session data will be deleted some time and the browser still got the active admin login and authenticates using these - am I right?

After that I can login a different User again using http://admin:admin@my.domain/users/login. Not perfect, but works at least for Firefox.

So basically one last question: Any suggestions on how to force a BasicAuth when accessing /users/login? This way I could easily switch users at any time using any client.

Update 7

I found a way to do exactly this with the idea in my accepted answer. I hope I caught all edge cases in this, feel free to correct me if not!

(P.s.: when using ACL and or basic authentication the isAuthorized() in at least the AppController seems to be ignored (it was recognized, but had no effect - when i deleted the method without changing $components, i got an error) which lead to me implementing this without using isAuthorized().)

AppController.php

public function beforeFilter($redirectlogin = true) {
    //Configure AuthComponent
    $this->Auth->allow('display', '/users/login');
    $this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
    $this->Auth->logoutRedirect = array('controller' => 'pages', 'action' => 'home');
    $this->Auth->loginRedirect = array('controller' => 'pages', 'action' => 'home');
    $this->Auth->unauthorizedRedirect = array('controller' => 'HTTPCODE', 'action' => 'c403');

    if($redirectlogin && $this->Session->read('Auth.needs_reauthenticate')) {
        if(!($this->request->params['controller'] == $this->Auth->loginRedirect['controller'] && $this->request->params['pass'][0] == $this->Auth->loginRedirect['action'])) {
            $this->redirect('/users/login');
        }
    }
 }

UsersController.php

public function beforeFilter() {
    parent::beforeFilter(false);
}

    public function login() {
        $this->autoRender = false;
        $this->Session->write('Auth.needs_reauthenticate', true);
        if(!$this->Session->check('Auth.count')) {
            $count = 1;
        } else {
            $count = $this->Session->read('Auth.count') + 1;
        }
        $this->Session->write('Auth.count', $count);

        if($this->Session->read('Auth.needs_reauthenticate')) {
            if((isset($_SERVER['HTTP_AUTHORIZATION']) && $this->Session->read('Auth.count') == 1) || (!isset($_SERVER['HTTP_AUTHORIZATION']) || empty($_SERVER['HTTP_AUTHORIZATION']) || !$this->Session->check('Auth.sent_header_step') || $this->Session->read('Auth.sent_header_step') < 1)) {
                unset($_SERVER['HTTP_AUTHORIZATION']);
                $this->Session->write('Auth.redirectTo', $this->Auth->redirect());

                $this->response->header(sprintf('WWW-Authenticate: Basic realm="%s"', env('SERVER_NAME')));
                $this->response->statusCode(401);
                $this->response->send();

                $this->Session->write('Auth.sent_header_step', 1);
            }       

            if(isset($_SERVER['HTTP_AUTHORIZATION'])) {
                $this->Session->write('Auth.sent_header_step', 0);
                $base64string = base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6));
                if(!(strlen($base64string) > 1 && substr($base64string, -1, 1) != ":")) {
                    $_SERVER['PHP_AUTH_USER'] = "";
                    $_SERVER['PHP_AUTH_PW'] = "";
                }

                $data = true;
            }

            $this->Auth->logout();

            if(isset($data) && $this->Session->read('Auth.count') > 1) {
                if($this->Auth->login()) {
                    $this->Session->write('Auth.needs_reauthenticate', false);
                    if($this->Session->check('Auth.redirectTo')) {
                        $redirectTo = $this->Session->read('Auth.redirectTo');
                        $this->Session->delete('Auth.redirectTo');
                        $this->Session->delete('Auth.count');

                        return $this->redirect($redirectTo);
                    } else {
                        return $this->redirect($this->Auth->redirect());
                    }
                } else {
                    $this->response->statusCode(403);
                    // my 403 message
                }
            } else {

                if(!isset($_SERVER['HTTP_AUTHORIZATION']) && $this->Session->read('Auth.count') > 1 && isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']) && trim($_SERVER['PHP_AUTH_USER']) != "" && trim($_SERVER['PHP_AUTH_PW']) != "") {
                    if($this->Auth->login()) {
                        $this->Session->write('Auth.needs_reauthenticate', false);
                        if($this->Session->check('Auth.redirectTo')) {
                            $redirectTo = $this->Session->read('Auth.redirectTo');
                            $this->Session->delete('Auth.redirectTo');
                            $this->Session->delete('Auth.count');

                            unset($_SERVER['HTTP_AUTHORIZATION']);
                            unset($_SERVER['PHP_AUTH_USER']);
                            unset($_SERVER['PHP_AUTH_PW']);
                            return $this->redirect($redirectTo);
                        } else {
                            return $this->redirect($this->Auth->redirect());
                        }
                    } else {
                        $this->response->statusCode(403);
                        // my 403 message
                    }
                }

                $this->response->statusCode(403);
                // my 403 message
            }
        }
    }

Thanks in advance

Adrian

boindil
  • 95
  • 1
  • 9
  • Did you add the functions in the beforeFilter (like in the tutorial)? Specifically `$this->Auth->loginRedirect`. It appears that you're logged in, but the redirection isn't working properly. If you have that code, can you update your question with it? And check if the user logged in actually has permission to access that action? – Nunser Apr 16 '13 at 14:09
  • @nuns: Updated my post with the requested information – boindil Apr 16 '13 at 14:38
  • You're using cakephp 2.3, try changing `return $this->redirect($this->Auth->redirect());` to `return $this->redirect($this->Auth->redirectUrl());` in the login function (and return the BasicAuthenticate to the original). If that doesn't work, since the overwriting worked for you, I would recommend extending the *BasicAuthenticate* class and change the *getUser()* function. I've seen a [couple of post](http://stackoverflow.com/questions/8435482/cakephp-2-0-and-basic-auth) with similar problems and that seems to be the solution. – Nunser Apr 16 '13 at 17:43
  • On second thought... if you have to set the env variables `PHP_AUTH_USER`and `PHP_AUTH_PW` by hand, that means they're not set before (duh). Where are you setting them? What's your code for the call to http rquest? – Nunser Apr 16 '13 at 17:57
  • @nuns updated my post based on thaJeztah's answer, it includes that thought (Update 5) – boindil Apr 16 '13 at 21:45

1 Answers1

3

Using Basic Authentication when running PHP as (Fast)CGI

It's possible that your website is configured to run PHP as (Fast)CGI, in which case the PHP_AUTH_USER and PHP_AUTH_PWD keys are not present in the $_SERVER variable. The BasicAuthenticate AuthComponent relies on these keys.

Either change the domain/webhosting settings in Plesk to run php as 'apache module' for this website/domain or extend the BasicAuthenticate Component to get these variables some other way.

More information on this subject can be found in this question:

PHP_AUTH_USER not set?

And for the Symfony framework, somebody seems to have written a workaround that may be useful in this situation as well;

https://github.com/symfony/symfony/issues/1813

update: loging out when using basic authentication

Loging out when using basic authentication is not really possible. Basic authentication is a 'stateless' authentication mechanism, which basically means that the browser is sending the user-credentials with every request. In other words; the server does not keep a 'state', the browser does. With Basic Authentication, you require the browser to send user credentials and as long as the browser sends valid credentials, you allow the browser access to the protected pages.

The only way to log out, is to close the browser, or tell the browser to close active sessions/logins.

Read more information here:

http://en.wikipedia.org/wiki/Basic_access_authentication

http basic authentication "log out"

Notes

Base Authentication is not a secure authentication mechanism; the username and password is sent to the server with every request. The password is sent unencrypted (only base64 encoded to prevent problems with special characters).

Although Form authentication also sends the password unencrypted, it is (a bit more) secure as it will only send the username/password when logging in. Subsequent requests will only send the Session-id, which can be set to expire and limited to a specific IP and/or Browser type.

In all cases, securing the connection via SSL is obviously important.

Forcing re-authentication on the login page

This is just 'thinking out loud', untested and highly experimental :)

Try this;

  1. If no session is active, proceed the normal way. There is no way to differentiate 'already logged in' users from 'new users' in Basic Authentication - it is stateless

  2. If a session is active, a user apparently has an active session going on. Don't destroy the session, but change the rules;

    • If the credentials sent are for the same user as the username inside the session (or, better: $this->Auth->user('username');?, Then invalidate the session (not destroy) and force the user to re-authenticate, by sending login headers;
    • You may copy the headers from the BasicAuthenticate behavior; see the source here BasicAuthenticate::authenticate()
    • Regarding 'copying the headers'; Maybe extending the BasicAuthenticate is a cleaner approach; handle all your custom code inside your customized version.

Additionally, check if the session is still 'valid' inside AppController::isAuthorized()(see Using ControllerAuthorize)

Something like this (Mockup code):

Login page/action:

if ("usercredentials sent by browser" === "current logged in user in session") {
    // Mark session as 'needs-to-reauthenticate'
    $this->Session->write('Auth.needs_reauthenticate', true);

    // Need to find a clean approach to get the BasicAuth loginHeaders()
    // *including* the right settings (realm)
    $this->response->header(/*BasicAuth::loginHeaders()*/);

    // Access denied status
    $this->response->statusCode(401);
    return $this->response->send();
}

AppController::isAuthorized()

if ($this->Session->read('Auth.needs_reauthenticate')) {
    return false;
} else {
    // Normal 'isAuthorized()' checks here
}

NOTE: Once a browser has visited the 'login' page during an active session, the user will either have to log-in with different credentials, or close the browser to log in again.

This may be problematic if the session-cookie is still present after closing and re-opening the browser. Try to force the session-cookie to be a "real" session-cookie and have it deleted on browser close by setting Session.cookieTimeout to 0 (see Session Configuration

Community
  • 1
  • 1
thaJeztah
  • 27,738
  • 9
  • 73
  • 92
  • @boindil added some information to my answer to explain the 'Basic Authentication' mechanism – thaJeztah Apr 16 '13 at 22:23
  • Thank you very much, this helped me a lot! I'm needing this, because I am writing a REST API and trying to make this somehow secure and flexible. However I need to use BasicAuth, as thats a guideline (the API itself is a rewrite and there are multiple clients that cannot easily be changed). Yes, SSL will be used of course. Updated my post (Update 6). – boindil Apr 17 '13 at 00:10
  • @boindil I did a bit of thinking, added it to my answer. Untested, just thinking out loud :D – thaJeztah Apr 17 '13 at 07:29
  • thanks for all your help again, I edited a solution thats working for me into Update 7. – boindil Apr 19 '13 at 22:17
  • Glad you got it working! To improve your code, I'd suggest to move some of that logic out of your controller and (for example) to a custom Authentication Object (see [Creating Custom Authentication objects](http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#creating-custom-authentication-objects)). However, that's not the scope of this question. Again, great you got it working! – thaJeztah Apr 19 '13 at 23:00