Re: [fw-general] Zend Auth Adapter Http takes user supplied realm by default?

Wed, 04 Mar 2009 09:53:36 -0800 

Hi Jan,
My apologies for assuming you were using Basic authentication; I see your point clearly now. This is a legitimate bug in the adapter. You can try the attached patch (not tested) if you like. Please file a bug report for this. 

Thanks!
Bryce Lohr


Jan Wagner-Rosenkranz wrote:

Bryce Lohr wrote:

Unlike Digest authentication, Basic authentication does not specify 
that the credentials supplied by the user include the name of the 
realm they are authenticating against. Only the username and password 
are sent to the server. Therefore, the adapter doesn't have a way to 
check the credentials purely based on the "current" realm. The 
adapter, IMO, *should* use the root of some URI path instead, 
however, no such feature is currently implemented (neither in Basic 
nor in Digest).



Well, I have been using digest authentication. So is it desirable to 
be implemented at least in that part? Thats where I looked, and 
noticed that it takes the supplied realm. That would be in 
Zend_Auth_Adapter_Http::_parseDigestAuth:714-722 in release-1.7 branch.


Maybe something like this:

if ($temp[1] != $this->_realm) return false;


Right now, the adapter will only check to see if the user-given 
credentials are defined by the resolver for the adapter's 
currently-configured realm (as specified by the developer). Your 
custom resolver that includes the realm logic you need is a good 
work-around. If you're inclined, you can file a feature request and 
include a patch.



Only, I have to pass the realm to the resolver, which shouldn't be 
necessary.


Thanks for listening.

Jan

Index: Http.php
===================================================================
--- Http.php    (revision 124)
+++ Http.php    (working copy)
@@ -580,6 +580,12 @@
             return $this->_challengeClient();
         }
 
+        // If the client's credentials are for a different realm, challenge 
them 
+        // to authenticate in the current realm.
+        if ($data['realm'] != $this->_realm) {
+            return $this->_challengeClient();
+        }
+
         // Verify that the client sent back the same nonce
         if ($this->_calcNonce() != $data['nonce']) {
             return $this->_challengeClient();






















					Reply via email to