I was able to find a workaround using mod_rewrite (a module that continues
to amaze me with its usefulness). So for anyone else who needs to use the
http authentication methods of the Security Component while running php
through cgi, here's what I did to get it working:
In the .htaccess file in the webroot dir, I modified the default rewrite
rule by removing the 'last' flag:
old: RewriteRule ^(.*)$ index.php?url=$1 [QSA,L]
new: RewriteRule ^(.*)$ index.php?url=$1 [QSA]
Then I added another RewriteRule below that one, giving it the 'last' flag I
took away from the previous rule:
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
This new rule sets the environment variable REMOTE_USER to the value of the
HTTP Authorization header. With basic authentication, which is what I am
using since I'm behind an SSL connection, the Authorization string consists
of the word 'Basic', a space, and a base64 encoded string of the supplied
username and password separated by a colon (:).
Php adds this new environment variable to the $_SERVER superglobal array
with the key 'REDIRECT_REMOTE_USER'. So, in my beforeFilter callback I've
added the following code:
if(Configure::read('in_production') {
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' ,
base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
}
Now the variables that the Security Component (and php) use for HTTP
Authentication are set, which makes functionality that was only explicitly
available in the apache php module also available in sites that have to use
php through CGI/FastCGI
mod_rewrite rocks.
J3ffy
On Fri, Sep 4, 2009 at 10:23 AM, J3ffy <[email protected]> wrote:
> I've been developing a system that does server-to-server communication
> using Basic HTTP Auth for authentication behind an SSL connection.
> The requests are created and sent with the HttpSocket class. The
> component that receives the requests uses the Security component to
> force and check authentication.
>
> Everything has been working great on multiple test systems, but on the
> production host, none of the Authentication credentials were being
> seen by the app. After a few hours of testing I discovered that on
> all my test systems I'm using the Apache php module, but on the
> production server, the php api is access through FastCGI. According
> to the php documentation for HTTP authentication here:
> http://us3.php.net/manual/en/features.http-auth.php the HTTP
> authentication hooks are only available when using the apache module
> and not for php through cgi.
>
> It seems that I'm going to have to change my approach to
> authenticating, but I have no idea what to change it to. Do you folks
> have any suggestions?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
