Actually, I'd say this is a good tip given the caveat that HTTP authentication always be done over SSL.
On Jan 12, 11:19 am, Martin Westin <[email protected]> wrote: > Hi all, > It is not overtly documented but you can check your http > authentication against your normal users table, just like Auth > Component does. I didn't know this before. I thought I had to make an > loginUserrs array. But a simple change gave me the opportunity to > check the login any way I wanted. > > Generally speaking I'd say this is a bad idea. Letting users login > using HTTP basic authentication is a bit of a security risk. It can be > very useful at times though so i thought I'd post my code in case > anyone else wants to use something like it... or just criticize the > whole idea until I change my mind :) > > My reason is that I want a "protected" RSS feed. The feed will include > private information not intended for public use but I still like rss > as a notification scheme. THis is the best solution I have come up > with for protecting a feed. > > Here is the relevant lines from my controller. Auth is globally > configured in AppController much like in the numerous tutorials > around. Nothing special there but it is active. > > --- > var $components = array('Security'); > > function beforeFilter() { > if ( $this->RequestHandler->isRss() ) { > $this->Auth->allow('index'); > $this->Security->loginOptions = array( > 'type'=>'basic', > 'login'=>'authenticate', > 'realm'=>'My_RSS_Feeds' > ); > $this->Security->loginUsers = array(); > $this->Security->requireLogin('index'); > } > parent::beforeFilter(); > > } > > function authenticate($args) { > $data[ $this->Auth->fields['username'] ] = $args['username']; > $data[ $this->Auth->fields['password'] ] = $this->Auth->password > ($args['password']); > > if ( $this->Auth->login($data) ) { > return true; > } else { > $this->Security->blackHole($this, 'login'); > return false; > }} > > --- > > As you can see there is not much different from the cookbook (for > example). The key is the login-key in the loginOptions hash. This lets > me provide a method that will take care of allowing or disallowing a > login. > > The authenticate method re-packages the username and password to suit > Auth and then tries to login.. and Voilà! > > I noticed that returning true or false was not enough. I had to > specify that the request should "blackHole" here. I could try digest > authentication but I haven't gotten around to it yet. (My normal > logins pass passwords in the clear already so...) > > That's all > /Martin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
