Hi Neil,
You are correct in that the current design of the HTTP Auth Resolvers
requires the password (or password hash) to be returned to the adapter.
The reason the password validation is done in the adapter, instead of in
the resolver (which would allow an SQL query to make the necessary
comparison), is that the same Resolver class is used for both Basic and
Digest authentication. In Digest authentication is not possible to do
the password validation outside the adapter (or at least I haven't
figured out how to do it... ;) ).
This is a known deficiency in the design; however, it may not be
addressed until 2.0 due to backward-compatibility concerns.
If you only intend to use Basic authentication, you achieve your goal by
overriding Zend_Auth_Adapter_Http::_basicAuth() to pass the username,
realm, and password to the resolver, and use the return value of that to
decide whether the login is valid. It's an unfortunate kludge, but that
is the current state of things. :/
Hope this helps,
Bryce Lohr
Neil Garb wrote:
Hi all
I'm trying to get to grips with how to do basic HTTP authentication,
with user details in a database. I'd like users to be able to access
a particular URL with their username and password, which is stored as
an encoded string.
So far it seems I have to use
Zend_Auth_Adapter_Http_Resolver_Interface::resolve($username, $realm).
Am I correct in saying that that function needs to return the user's
password? How do I get around the fact that the password is encoded
in the database?
Thanks.
- Neil
