Hi Jan,
Unlike Digest authentication, Basic authentication does not specify that
the credentials supplied by the user include the name of the realm they
are authenticating against. Only the username and password are sent to
the server. Therefore, the adapter doesn't have a way to check the
credentials purely based on the "current" realm. The adapter, IMO,
*should* use the root of some URI path instead, however, no such feature
is currently implemented (neither in Basic nor in Digest).
Right now, the adapter will only check to see if the user-given
credentials are defined by the resolver for the adapter's
currently-configured realm (as specified by the developer). Your custom
resolver that includes the realm logic you need is a good work-around.
If you're inclined, you can file a feature request and include a patch.
Regards,
Bryce Lohr
Jan Wagner-Rosenkranz wrote:
Hi there,
I've been using the http auth adapter lately and noticed something
strange. I tried to use different realms for different areas of my
site. Once I authenticated for one realm, the browser would send this
one as soon as I entered another realm. And here it comes, it did
authenticate for the other realm. To be clear:
1. auth for /realm1
2. auth for /realm2
The second auth wouldn't even ask for a password, it just used the
browser supplied old realm and saved username and password, which then
authenticated just fine. Is that by design? I thought, if I requested
a specific realm for authentication, that one would be checked.
Looking at the code, Zend_Auth_Adapater_Http really takes the user
supplied realm and passes it to the resolver without checking the
actually requested realm. As I've implemented my own resolver, I added
the check there and it works.
So is this a bug or a feature?
Cheers Jan
PS: The different authentications have different auth storages, so
they are completely independant.
