Hi all,
It is not overtly documented but you can check your http
authentication against your normal users table, just like Auth
Component does. I didn't know this before. I thought I had to make an
loginUserrs array. But a simple change gave me the opportunity to
check the login any way I wanted.
Generally speaking I'd say this is a bad idea. Letting users login
using HTTP basic authentication is a bit of a security risk. It can be
very useful at times though so i thought I'd post my code in case
anyone else wants to use something like it... or just criticize the
whole idea until I change my mind :)
My reason is that I want a "protected" RSS feed. The feed will include
private information not intended for public use but I still like rss
as a notification scheme. THis is the best solution I have come up
with for protecting a feed.
Here is the relevant lines from my controller. Auth is globally
configured in AppController much like in the numerous tutorials
around. Nothing special there but it is active.
---
var $components = array('Security');
function beforeFilter() {
if ( $this->RequestHandler->isRss() ) {
$this->Auth->allow('index');
$this->Security->loginOptions = array(
'type'=>'basic',
'login'=>'authenticate',
'realm'=>'My_RSS_Feeds'
);
$this->Security->loginUsers = array();
$this->Security->requireLogin('index');
}
parent::beforeFilter();
}
function authenticate($args) {
$data[ $this->Auth->fields['username'] ] = $args['username'];
$data[ $this->Auth->fields['password'] ] = $this->Auth->password
($args['password']);
if ( $this->Auth->login($data) ) {
return true;
} else {
$this->Security->blackHole($this, 'login');
return false;
}
}
---
As you can see there is not much different from the cookbook (for
example). The key is the login-key in the loginOptions hash. This lets
me provide a method that will take care of allowing or disallowing a
login.
The authenticate method re-packages the username and password to suit
Auth and then tries to login.. and VoilĂ !
I noticed that returning true or false was not enough. I had to
specify that the request should "blackHole" here. I could try digest
authentication but I haven't gotten around to it yet. (My normal
logins pass passwords in the clear already so...)
That's all
/Martin
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
