On 11/21/2013 12:10 PM, Daniel Berteaud wrote: > Here's a patch to enable external auth (handled by apache) on the rest > interface. > I'm using a webSSO (the excellent LemonLDAP::NG) to control access to my > web applications. In this mode, LemonLDAP::NG handles the auth, and just > set REMOTE_USER when someone is correctly authenticated. So the app > never has access to the password, and so, do not have access to a > PHP_AUTH_PW variable.
Does LemonLDAP forward all the headers of the request (it should, right)? Because the X-Authorization header should *still* be required. Checking for REMOTE_USER only allows for CSRF attacks, which was a real PITA to fix. But it's entirely reasonable not to have the clear text. I committed a slightly different validation method which only checks the password for consistency (if it exists). Please check if this is enough.
