forked from zendframework/zendframework
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Zend_Auth_Adapter_Http.xml
323 lines (259 loc) · 12.8 KB
/
Zend_Auth_Adapter_Http.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
<?xml version="1.0" encoding="utf-8"?>
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="zend.auth.adapter.http"><info><title>HTTP Authentication Adapter</title></info>
<section xml:id="zend.auth.adapter.http.introduction"><info><title>Introduction</title></info>
<para>
<classname>Zend_Auth_Adapter_Http</classname> provides a mostly-compliant
implementation of <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://tools.ietf.org/html/rfc2617">RFC-2617</link>,
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://en.wikipedia.org/wiki/Basic_authentication_scheme">Basic</link>
and <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://en.wikipedia.org/wiki/Digest_access_authentication">Digest</link>
<acronym>HTTP</acronym> Authentication. Digest authentication is a method of
<acronym>HTTP</acronym> authentication that improves upon Basic authentication by
providing a way to authenticate without having to transmit the password in clear text
across the network.
</para>
<para>
<emphasis>Major Features:</emphasis>
</para>
<itemizedlist>
<listitem>
<para>
Supports both Basic and Digest authentication.
</para>
</listitem>
<listitem>
<para>
Issues challenges in all supported schemes, so client can respond with any
scheme it supports.
</para>
</listitem>
<listitem>
<para>
Supports proxy authentication.
</para>
</listitem>
<listitem>
<para>
Includes support for authenticating against text files and provides an
interface for authenticating against other sources, such as databases.
</para>
</listitem>
</itemizedlist>
<para>
There are a few notable features of <acronym>RFC-2617</acronym> that are not
implemented yet:
</para>
<itemizedlist>
<listitem>
<para>
Nonce tracking, which would allow for "stale" support, and increased replay
attack protection.
</para>
</listitem>
<listitem>
<para>
Authentication with integrity checking, or "auth-int".
</para>
</listitem>
<listitem>
<para>
Authentication-Info <acronym>HTTP</acronym> header.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="zend.auth.adapter.design_overview"><info><title>Design Overview</title></info>
<para>
This adapter consists of two sub-components, the <acronym>HTTP</acronym> authentication
class itself, and the so-called "Resolvers." The <acronym>HTTP</acronym> authentication
class encapsulates the logic for carrying out both Basic and Digest authentication. It
uses a Resolver to look up a client's identity in some data store (text file by
default), and retrieve the credentials from the data store. The "resolved" credentials
are then compared to the values submitted by the client to determine whether
authentication is successful.
</para>
</section>
<section xml:id="zend.auth.adapter.configuration_options"><info><title>Configuration Options</title></info>
<para>
The <classname>Zend_Auth_Adapter_Http</classname> class requires a configuration array
passed to its constructor. There are several configuration options available, and some
are required:
</para>
<table xml:id="zend.auth.adapter.configuration_options.table"><info><title>Configuration Options</title></info>
<tgroup cols="3">
<thead>
<row>
<entry>Option Name</entry>
<entry>Required</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><emphasis><property>accept_schemes</property></emphasis></entry>
<entry>Yes</entry>
<entry>
Determines which authentication schemes the adapter will accept from
the client. Must be a space-separated list containing
<emphasis>'basic'</emphasis> and/or <emphasis>'digest'</emphasis>.
</entry>
</row>
<row>
<entry><emphasis><property>realm</property></emphasis></entry>
<entry>Yes</entry>
<entry>
Sets the authentication realm; usernames should be unique within a
given realm.
</entry>
</row>
<row>
<entry><emphasis><property>digest_domains</property></emphasis></entry>
<entry>
Yes, when <property>accept_schemes</property> contains
<emphasis>digest</emphasis>
</entry>
<entry>
Space-separated list of <acronym>URI</acronym>s for which the same
authentication information is valid. The <acronym>URI</acronym>s need
not all point to the same server.
</entry>
</row>
<row>
<entry><emphasis><property>nonce_timeout</property></emphasis></entry>
<entry>
Yes, when <property>accept_schemes</property> contains
<emphasis>digest</emphasis>
</entry>
<entry>
Sets the number of seconds for which the nonce is valid. See notes
below.
</entry>
</row>
<row>
<entry><emphasis><property>proxy_auth</property></emphasis></entry>
<entry>No</entry>
<entry>
Disabled by default. Enable to perform Proxy authentication, instead
of normal origin server authentication.
</entry>
</row>
</tbody>
</tgroup>
</table>
<note>
<para>
The current implementation of the <property>nonce_timeout</property> has some
interesting side effects. This setting is supposed to determine the valid lifetime
of a given nonce, or effectively how long a client's authentication information is
accepted. Currently, if it's set to 3600 (for example), it will cause the adapter
to prompt the client for new credentials every hour, on the hour. This will be
resolved in a future release, once nonce tracking and stale support are
implemented.
</para>
</note>
</section>
<section xml:id="zend.auth.adapter.http.resolvers"><info><title>Resolvers</title></info>
<para>
The resolver's job is to take a username and realm, and return some kind of credential
value. Basic authentication expects to receive the Base64 encoded version of the user's
password. Digest authentication expects to receive a hash of the user's username, the
realm, and their password (each separated by colons). Currently, the only supported
hash algorithm is <acronym>MD5</acronym>.
</para>
<para>
<classname>Zend_Auth_Adapter_Http</classname> relies on objects implementing
<classname>Zend_Auth_Adapter_Http_Resolver_Interface</classname>. A text file resolver
class is included with this adapter, but any other kind of resolver can be created
simply by implementing the resolver interface.
</para>
<section xml:id="zend.auth.adapter.http.resolvers.file"><info><title>File Resolver</title></info>
<para>
The file resolver is a very simple class. It has a single property specifying a
filename, which can also be passed to the constructor. Its
<methodname>resolve()</methodname> method walks through the text file, searching
for a line with a matching username and realm. The text file format similar to
Apache htpasswd files:
</para>
<programlisting language="txt"><![CDATA[
<username>:<realm>:<credentials>\n
]]></programlisting>
<para>
Each line consists of three fields - username, realm, and credentials - each
separated by a colon. The credentials field is opaque to the file resolver; it
simply returns that value as-is to the caller. Therefore, this same file format
serves both Basic and Digest authentication. In Basic authentication, the
credentials field should be written in clear text. In Digest authentication, it
should be the <acronym>MD5</acronym> hash described above.
</para>
<para>
There are two equally easy ways to create a File resolver:
</para>
<programlisting language="php"><![CDATA[
$path = 'files/passwd.txt';
$resolver = new Zend_Auth_Adapter_Http_Resolver_File($path);
]]></programlisting>
<para>
or
</para>
<programlisting language="php"><![CDATA[
$path = 'files/passwd.txt';
$resolver = new Zend_Auth_Adapter_Http_Resolver_File();
$resolver->setFile($path);
]]></programlisting>
<para>
If the given path is empty or not readable, an exception is thrown.
</para>
</section>
</section>
<section xml:id="zend.auth.adapter.http.basic_usage"><info><title>Basic Usage</title></info>
<para>
First, set up an array with the required configuration values:
</para>
<programlisting language="php"><![CDATA[
$config = array(
'accept_schemes' => 'basic digest',
'realm' => 'My Web Site',
'digest_domains' => '/members_only /my_account',
'nonce_timeout' => 3600,
);
]]></programlisting>
<para>
This array will cause the adapter to accept either Basic or Digest authentication, and
will require authenticated access to all the areas of the site under
<filename>/members_only</filename> and <filename>/my_account</filename>. The realm
value is usually displayed by the browser in the password dialog box. The
<property>nonce_timeout</property>, of course, behaves as described above.
</para>
<para>
Next, create the <classname>Zend_Auth_Adapter_Http</classname> object:
</para>
<programlisting language="php"><![CDATA[
$adapter = new Zend_Auth_Adapter_Http($config);
]]></programlisting>
<para>
Since we're supporting both Basic and Digest authentication, we need two different
resolver objects. Note that this could just as easily be two different classes:
</para>
<programlisting language="php"><![CDATA[
$basicResolver = new Zend_Auth_Adapter_Http_Resolver_File();
$basicResolver->setFile('files/basicPasswd.txt');
$digestResolver = new Zend_Auth_Adapter_Http_Resolver_File();
$digestResolver->setFile('files/digestPasswd.txt');
$adapter->setBasicResolver($basicResolver);
$adapter->setDigestResolver($digestResolver);
]]></programlisting>
<para>
Finally, we perform the authentication. The adapter needs a reference to both the
Request and Response objects in order to do its job:
</para>
<programlisting language="php"><![CDATA[
assert($request instanceof Zend_Controller_Request_Http);
assert($response instanceof Zend_Controller_Response_Http);
$adapter->setRequest($request);
$adapter->setResponse($response);
$result = $adapter->authenticate();
if (!$result->isValid()) {
// Bad userame/password, or canceled password prompt
}
]]></programlisting>
</section>
</section>