ILIAS  Release_4_0_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
Public Member Functions | Data Fields
Auth_HTTP Class Reference
+ Inheritance diagram for Auth_HTTP:
+ Collaboration diagram for Auth_HTTP:

Public Member Functions

 Auth_HTTP ($storageDriver, $options= '')
 Constructor.
 assignData ()
 Assign values from $PHP_AUTH_USER and $PHP_AUTH_PW or 'Authorization' header to internal variables and sets the session id based on them.
 login ()
 Login function.
 drawLogin ($username="")
 Launch the login box.
 setRealm ($realm, $digestRealm= '')
 Set name of the current realm.
 setCancelText ($text)
 Set the text to send if user hits the cancel button.
 validateDigest ($response, $a1)
 judge if the client response is valid.
 _judgeStale ($nonce)
 judge if nonce from client is stale.
 _decodeNonce ($nonce, &$time, &$hash)
 decode nonce string
 _getNonce ()
 return nonce to detect timeout
 authenticationInfo ($contentMD5= '')
 output HTTP Authentication-Info header
 setOption ($name, $value=null)
 set authentication option
 getOption ($name)
 get authentication option
 selfURI ()
 get self URI
- Public Member Functions inherited from Auth
 Auth ($storageDriver, $options= '', $loginFunction= '', $showLogin=true)
 Constructor.
applyAuthOptions (&$options)
 Set the Auth options.
 _loadStorage ()
 Load Storage Driver if not already loaded.
 start ()
 Start new auth session.
 setExpire ($time, $add=false)
 Set the maximum expire time.
 setIdle ($time, $add=false)
 Set the maximum idle time.
 setSessionName ($name= 'session')
 Set name of the session to a customized value.
 setShowLogin ($showLogin=true)
 Should the login form be displayed if neccessary?
 setAllowLogin ($allowLogin=true)
 Should the login form be displayed if neccessary?
 setCheckAuthCallback ($checkAuthCallback)
 Register a callback function to be called whenever the validity of the login is checked The function will receive two parameters, the username and a reference to the auth object.
 setLoginCallback ($loginCallback)
 Register a callback function to be called on user login.
 setFailedLoginCallback ($loginFailedCallback)
 Register a callback function to be called on failed user login.
 setLogoutCallback ($logoutCallback)
 Register a callback function to be called on user logout.
 setAuthData ($name, $value, $overwrite=true)
 Register additional information that is to be stored in the session.
 getAuthData ($name=null)
 Get additional information that is stored in the session.
 setAuth ($username)
 Register variable in a session telling that the user has logged in successfully.
 setAdvancedSecurity ($flag=true)
 Enables advanced security checks.
 checkAuth ()
 Checks if there is a session with valid auth information.
 getAuth ()
 Has the user been authenticated?
 logout ()
 Logout function.
 updateIdle ()
 Update the idletime.
 getUsername ()
 Get the username.
 getStatus ()
 Get the current status.
 getPostUsernameField ()
 Gets the post varible used for the username.
 getPostPasswordField ()
 Gets the post varible used for the username.
 sessionValidThru ()
 Returns the time up to the session is valid.
 listUsers ()
 List all users that are currently available in the storage container.
 addUser ($username, $password, $additional= '')
 Add user to the storage container.
 removeUser ($username)
 Remove user from the storage container.
 changePassword ($username, $password)
 Change password for user in the storage container.
 log ($message, $level=AUTH_LOG_DEBUG)
 Log a message from the Auth system.
 _loadLogger ()
 Load Log object if not already loaded.
 attachLogObserver (&$observer)
 Attach an Observer to the Auth Log Source.
 _isAdvancedSecurityEnabled ($feature=null)
 Is advanced security enabled?
- Public Member Functions inherited from ilAuthBase
 supportRedirects ()
 Returns true, if the current auth mode allows redirects to e.g the login screen, public section ...
 getContainer ()
 Get container object.

Data Fields

 $authType = 'basic'
 $realm = "protected area"
 $CancelText = "Error 401 - Access denied"
 $options = array()
 $stale = false
 $opaque = 'dummy'
 $uri = ''
 $auth = array()
 $nextNonce = ''
 $nonce = ''
 $server
 $post
 $cookie
- Data Fields inherited from Auth
 $expire = 0
 $expired = false
 $idle = 0
 $idled = false
 $storage = ''
 $loginFunction = ''
 $showLogin = true
 $allowLogin = true
 $status = ''
 $username = ''
 $password = ''
 $checkAuthCallback = ''
 $loginCallback = ''
 $loginFailedCallback = ''
 $logoutCallback = ''
 $_sessionName = '_authsession'
 $version = "@version@"
 $advancedsecurity = false
 $_postUsername = 'username'
 $_postPassword = 'password'
 $session
 $server
 $post
 $cookie
 $authdata
 $authChecks = 0
 $logger = null
 $enableLogging = false
 $regenerateSessionId = false

Additional Inherited Members

- Static Public Member Functions inherited from Auth
_factory ($driver, $options= '')
 Return a storage driver based on $driver and $options.
 staticCheckAuth ($options=null)
 Statically checks if there is a session with valid auth information.
- Protected Member Functions inherited from ilAuthBase
 initAuth ()
 Init auth object Enable logging, set callbacks...
 loginObserver ($a_username, $a_auth)
 Called after successful login.
 failedLoginObserver ($a_username, $a_auth)
 Called after failed login.
 checkAuthObserver ($a_username, $a_auth)
 Called after each check auth request.
 logoutObserver ($a_username, $a_auth)
 Called after logout.
- Protected Attributes inherited from ilAuthBase
 $sub_status = null

Detailed Description

Definition at line 54 of file HTTP.php.

Member Function Documentation

Auth_HTTP::_decodeNonce (   $nonce,
$time,
$hash 
)

decode nonce string

private

Parameters
string$noncenonce value from client
string$timedecoded time
string$hashdecoded hash
Returns
bool false if nonce is invalid

Definition at line 628 of file HTTP.php.

References $nonce, AUTH_HTTP_NONCE_HASH_LEN, and AUTH_HTTP_NONCE_TIME_LEN.

Referenced by _judgeStale().

{
if (method_exists($this, '_importGlobalVariable')) {
$this->server = &$this->_importGlobalVariable('server');
}
if (strlen($nonce) != AUTH_HTTP_NONCE_TIME_LEN + AUTH_HTTP_NONCE_HASH_LEN) {
return false;
}
$time = base64_decode(substr($nonce, 0, AUTH_HTTP_NONCE_TIME_LEN));
$hash_cli = substr($nonce, AUTH_HTTP_NONCE_TIME_LEN, AUTH_HTTP_NONCE_HASH_LEN);
$hash = md5($time . $this->server['HTTP_USER_AGENT'] . $this->options['noncekey']);
if ($hash_cli != $hash) {
return false;
}
return true;
}

+ Here is the caller graph for this function:

Auth_HTTP::_getNonce ( )

return nonce to detect timeout

private

Returns
string nonce value

Definition at line 659 of file HTTP.php.

Referenced by _judgeStale(), and drawLogin().

{
if (method_exists($this, '_importGlobalVariable')) {
$this->server = &$this->_importGlobalVariable('server');
}
$time = time();
$hash = md5($time . $this->server['HTTP_USER_AGENT'] . $this->options['noncekey']);
return base64_encode($time) . $hash;
}

+ Here is the caller graph for this function:

Auth_HTTP::_judgeStale (   $nonce)

judge if nonce from client is stale.

private

Parameters
string$noncenonce value from client
Returns
bool stale

Definition at line 596 of file HTTP.php.

References $nonce, $stale, _decodeNonce(), and _getNonce().

Referenced by assignData().

{
$stale = false;
if(!$this->_decodeNonce($nonce, $time, $hash_cli)) {
$this->nextNonce = false;
$stale = true;
return $stale;
}
if ($time < time() - $this->options['nonceLife']) {
$this->nextNonce = $this->_getNonce();
$stale = true;
} else {
$this->nextNonce = $nonce;
}
return $stale;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Auth_HTTP::assignData ( )

Assign values from $PHP_AUTH_USER and $PHP_AUTH_PW or 'Authorization' header to internal variables and sets the session id based on them.

public

Returns
void

Try to get authentication information from IIS

set sessionName for AUTH, so that the sessionName is different for distinct realms

Reimplemented from Auth.

Definition at line 217 of file HTTP.php.

References $auth, $key, Auth\$password, Auth\$username, _judgeStale(), elseif(), PEAR\raiseError(), and selfURI().

{
if (method_exists($this, '_importGlobalVariable')) {
$this->server = &$this->_importGlobalVariable('server');
}
if ($this->authType == 'basic') {
if (!empty($this->server['PHP_AUTH_USER'])) {
$this->username = $this->server['PHP_AUTH_USER'];
}
if (!empty($this->server['PHP_AUTH_PW'])) {
$this->password = $this->server['PHP_AUTH_PW'];
}
if (empty($this->username) && empty($this->password)) {
if (!empty($this->server['HTTP_AUTHORIZATION'])) {
list($this->username, $this->password) =
explode(':', base64_decode(substr($this->server['HTTP_AUTHORIZATION'], 6)));
}
}
} elseif ($this->authType == 'digest') {
$this->username = '';
$this->password = '';
$this->digest_header = null;
if (!empty($this->server['PHP_AUTH_DIGEST'])) {
$this->digest_header = substr($this->server['PHP_AUTH_DIGEST'],
strpos($this->server['PHP_AUTH_DIGEST'],' ')+1);
} else {
$headers = getallheaders();
if(isset($headers['Authorization']) && !empty($headers['Authorization'])) {
$this->digest_header = substr($headers['Authorization'],
strpos($headers['Authorization'],' ')+1);
}
}
if($this->digest_header) {
$authtemp = explode(',', $this->digest_header);
$auth = array();
foreach($authtemp as $key => $value) {
$value = trim($value);
if(strpos($value,'=') !== false) {
$lhs = substr($value,0,strpos($value,'='));
$rhs = substr($value,strpos($value,'=')+1);
if(substr($rhs,0,1) == '"' && substr($rhs,-1,1) == '"') {
$rhs = substr($rhs,1,-1);
}
$auth[$lhs] = $rhs;
}
}
}
if (!isset($auth['uri']) || !isset($auth['realm'])) {
return;
}
if ($this->selfURI() == $auth['uri']) {
$this->uri = $auth['uri'];
if (substr($headers['Authorization'],0,7) == 'Digest ') {
$this->authType = 'digest';
if (!isset($auth['nonce']) || !isset($auth['username']) ||
!isset($auth['response']) || !isset($auth['qop']) ||
!isset($auth['nc']) || !isset($auth['cnonce'])){
return;
}
if ($auth['qop'] != 'auth' && $auth['qop'] != 'auth-int') {
return;
}
$this->stale = $this->_judgeStale($auth['nonce']);
if ($this->nextNonce == false) {
return;
}
$this->username = $auth['username'];
$this->password = $auth['response'];
$this->auth['nonce'] = $auth['nonce'];
$this->auth['qop'] = $auth['qop'];
$this->auth['nc'] = $auth['nc'];
$this->auth['cnonce'] = $auth['cnonce'];
if (isset($auth['opaque'])) {
$this->auth['opaque'] = $auth['opaque'];
}
} elseif (substr($headers['Authorization'],0,6) == 'Basic ') {
if ($this->options['forceDigestOnly']) {
return; // Basic authentication is not allowed.
}
$this->authType = 'basic';
list($username, $password) =
explode(':',base64_decode(substr($headers['Authorization'],6)));
$this->username = $username;
$this->password = $password;
}
}
} else {
return PEAR::raiseError('authType is invalid.');
}
if ($this->options['sessionSharing'] &&
isset($this->username) && isset($this->password)) {
session_id(md5('Auth_HTTP' . $this->username . $this->password));
}
$this->_sessionName = "_authhttp".md5($this->realm);
}

+ Here is the call graph for this function:

Auth_HTTP::Auth_HTTP (   $storageDriver,
  $options = '' 
)

Constructor.

Parameters
stringType of the storage driver
mixedAdditional options for the storage driver (example: if you are using DB as the storage driver, you have to pass the dsn string here)
Returns
void

Definition at line 173 of file HTTP.php.

References $key, $options, and Auth\Auth().

{
/* set default values for options */
$this->options = array('cryptType' => 'md5',
'algorithm' => 'MD5',
'qop' => 'auth-int,auth',
'opaquekey' => 'moo',
'noncekey' => 'moo',
'digestRealm' => 'protected area',
'forceDigestOnly' => false,
'nonceLife' => 300,
'sessionSharing' => true,
);
if (!empty($options['authType'])) {
$this->authType = strtolower($options['authType']);
}
if (is_array($options)) {
foreach($options as $key => $value) {
if (array_key_exists( $key, $this->options)) {
$this->options[$key] = $value;
}
}
if (!empty($this->options['opaquekey'])) {
$this->opaque = md5($this->options['opaquekey']);
}
}
$this->Auth($storageDriver, $options);
}

+ Here is the call graph for this function:

Auth_HTTP::authenticationInfo (   $contentMD5 = '')

output HTTP Authentication-Info header

md5 hash of contents is required if 'qop' is 'auth-int'

private

Parameters
stringMD5 hash of content

Definition at line 682 of file HTTP.php.

References Auth\getAuth(), and Auth\getAuthData().

Referenced by login().

{
if($this->getAuth() && ($this->getAuthData('a1') != null)) {
$a1 = $this->getAuthData('a1');
// Work out authorisation response
$a2unhashed = ":".$this->selfURI();
if($this->auth['qop'] == 'auth-int') {
$a2unhashed .= ':'.$contentMD5;
}
$a2 = md5($a2unhashed);
$combined = $a1.':'.
$this->nonce.':'.
$this->auth['nc'].':'.
$this->auth['cnonce'].':'.
$this->auth['qop'].':'.
$a2;
// Send authentication info
$wwwauth = 'Authentication-Info: ';
if($this->nonce != $this->nextNonce) {
$wwwauth .= 'nextnonce="'.$this->nextNonce.'", ';
}
$wwwauth .= 'qop='.$this->auth['qop'].', ';
$wwwauth .= 'rspauth="'.md5($combined).'", ';
$wwwauth .= 'cnonce="'.$this->auth['cnonce'].'", ';
$wwwauth .= 'nc='.$this->auth['nc'].'';
header($wwwauth);
}
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Auth_HTTP::drawLogin (   $username = "")

Launch the login box.

Parameters
string$usernameUsername
Returns
void private

Send the header commands

This code is only executed if the user hits the cancel button or if he enters wrong data 3 times.

Definition at line 449 of file HTTP.php.

References $CancelText, _getNonce(), and exit.

Referenced by login(), and validateDigest().

{
if ($this->authType == 'basic') {
header("WWW-Authenticate: Basic realm=\"".$this->realm."\"");
header('HTTP/1.0 401 Unauthorized');
} else if ($this->authType == 'digest') {
$this->nonce = $this->_getNonce();
$wwwauth = 'WWW-Authenticate: Digest ';
$wwwauth .= 'qop="'.$this->options['qop'].'", ';
$wwwauth .= 'algorithm='.$this->options['algorithm'].', ';
$wwwauth .= 'realm="'.$this->options['digestRealm'].'", ';
$wwwauth .= 'nonce="'.$this->nonce.'", ';
if ($this->stale) {
$wwwauth .= 'stale=true, ';
}
if (!empty($this->opaque)) {
$wwwauth .= 'opaque="'.$this->opaque.'"' ;
}
$wwwauth .= "\r\n";
if (!$this->options['forceDigestOnly']) {
$wwwauth .= 'WWW-Authenticate: Basic realm="'.$this->realm.'"';
}
header($wwwauth);
header('HTTP/1.0 401 Unauthorized');
}
if ($this->stale) {
echo 'Stale nonce value, please re-authenticate.';
} else {
echo $this->CancelText;
}
exit;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Auth_HTTP::getOption (   $name)

get authentication option

public

Parameters
string$namekey of option
Returns
mixed option value

Definition at line 746 of file HTTP.php.

References $CancelText, $name, and $realm.

{
if (array_key_exists( $name, $this->options)) {
return $this->options[$name];
}
if ($name == 'CancelText') {
return $this->CancelText;
}
if ($name == 'Realm') {
return $this->realm;
}
return false;
}
Auth_HTTP::login ( )

Login function.

private

Returns
void

When the user has already entered a username, we have to validate it.

If the login failed or the user entered no username, output the login screen again.

Reimplemented from Auth.

Definition at line 348 of file HTTP.php.

References Auth\$_sessionName, $query, Auth\$storage, Auth\_loadStorage(), AUTH_WRONG_LOGIN, authenticationInfo(), drawLogin(), Auth\getAuth(), Auth\getAuthData(), PEAR\raiseError(), Auth\setAuth(), Auth\setAuthData(), and validateDigest().

{
$login_ok = false;
if (method_exists($this, '_loadStorage')) {
$this->_loadStorage();
}
$this->storage->_auth_obj->_sessionName =& $this->_sessionName;
if (!empty($this->username) && !empty($this->password)) {
if ($this->authType == 'basic' && !$this->options['forceDigestOnly']) {
if (true === $this->storage->fetchData($this->username, $this->password)) {
$login_ok = true;
}
} else { /* digest authentication */
if (!$this->getAuth() || $this->getAuthData('a1') == null) {
/*
* note:
* - only PEAR::DB is supported as container.
* - password should be stored in container as plain-text
* (if $options['cryptType'] == 'none') or
* A1 hashed form (md5('username:realm:password'))
* (if $options['cryptType'] == 'md5')
*/
$dbs = $this->storage;
if (!DB::isConnection($dbs->db)) {
$dbs->_connect($dbs->options['dsn']);
}
$query = 'SELECT '.$dbs->options['passwordcol']." FROM ".$dbs->options['table'].
' WHERE '.$dbs->options['usernamecol']." = '".
$dbs->db->quoteString($this->username)."' ";
$pwd = $dbs->db->getOne($query); // password stored in container.
if (DB::isError($pwd)) {
return PEAR::raiseError($pwd->getMessage(), $pwd->getCode());
}
if ($this->options['cryptType'] == 'none') {
$a1 = md5($this->username.':'.$this->options['digestRealm'].':'.$pwd);
} else {
$a1 = $pwd;
}
$this->setAuthData('a1', $a1, true);
} else {
$a1 = $this->getAuthData('a1');
}
$login_ok = $this->validateDigest($this->password, $a1);
if ($this->nextNonce == false) {
$login_ok = false;
}
}
if (!$login_ok && is_callable($this->loginFailedCallback)) {
call_user_func($this->loginFailedCallback,$this->username, $this);
}
}
if (!empty($this->username) && $login_ok) {
$this->setAuth($this->username);
if (is_callable($this->loginCallback)) {
call_user_func($this->loginCallback,$this->username, $this);
}
}
if (!empty($this->username) && !$login_ok) {
$this->status = AUTH_WRONG_LOGIN;
}
if ((empty($this->username) || !$login_ok) && $this->showLogin) {
$this->drawLogin($this->storage->activeUser);
return;
}
if (!empty($this->username) && $login_ok && $this->authType == 'digest'
&& $this->auth['qop'] == 'auth') {
$this->authenticationInfo();
}
}

+ Here is the call graph for this function:

Auth_HTTP::selfURI ( )

get self URI

public

Returns
string self URI

Definition at line 768 of file HTTP.php.

References $uri.

Referenced by assignData(), and validateDigest().

{
if (method_exists($this, '_importGlobalVariable')) {
$this->server = &$this->_importGlobalVariable('server');
}
if (preg_match("/MSIE/",$this->server['HTTP_USER_AGENT'])) {
// query string should be removed for MSIE
$uri = preg_replace("/^(.*)\?/","\\1",$this->server['REQUEST_URI']);
} else {
$uri = $this->server['REQUEST_URI'];
}
return $uri;
}

+ Here is the caller graph for this function:

Auth_HTTP::setCancelText (   $text)

Set the text to send if user hits the cancel button.

public

Parameters
string$textText to send
Returns
void

Definition at line 520 of file HTTP.php.

{
$this->CancelText = $text;
}
Auth_HTTP::setOption (   $name,
  $value = null 
)

set authentication option

public

Parameters
mixed$namekey of option
mixed$valuevalue of option
Returns
void

Definition at line 722 of file HTTP.php.

References $key, and $name.

{
if (is_array($name)) {
foreach($name as $key => $value) {
if (array_key_exists( $key, $this->options)) {
$this->options[$key] = $value;
}
}
} else {
if (array_key_exists( $name, $this->options)) {
$this->options[$name] = $value;
}
}
}
Auth_HTTP::setRealm (   $realm,
  $digestRealm = '' 
)

Set name of the current realm.

public

Parameters
string$realmName of the realm
string$digestRealmName of the realm for digest authentication
Returns
void

Definition at line 502 of file HTTP.php.

References $realm.

Referenced by ilAuthHTTP\__construct().

{
$this->realm = $realm;
if (!empty($digestRealm)) {
$this->options['digestRealm'] = $digestRealm;
}
}

+ Here is the caller graph for this function:

Auth_HTTP::validateDigest (   $response,
  $a1 
)

judge if the client response is valid.

private

Parameters
string$responseclient response
string$a1password or hashed password stored in container
Returns
bool true if success, false otherwise

Definition at line 536 of file HTTP.php.

References $GLOBALS, $key, drawLogin(), and selfURI().

Referenced by login().

{
if (method_exists($this, '_importGlobalVariable')) {
$this->server = &$this->_importGlobalVariable('server');
}
$a2unhashed = $this->server['REQUEST_METHOD'].":".$this->selfURI();
if($this->auth['qop'] == 'auth-int') {
if(isset($GLOBALS["HTTP_RAW_POST_DATA"])) {
// In PHP < 4.3 get raw POST data from this variable
$body = $GLOBALS["HTTP_RAW_POST_DATA"];
} else if($lines = @file('php://input')) {
// In PHP >= 4.3 get raw POST data from this file
$body = implode("\n", $lines);
} else {
if (method_exists($this, '_importGlobalVariable')) {
$this->post = &$this->_importGlobalVariable('post');
}
$body = '';
foreach($this->post as $key => $value) {
if($body != '') $body .= '&';
$body .= rawurlencode($key) . '=' . rawurlencode($value);
}
}
$a2unhashed .= ':'.md5($body);
}
$a2 = md5($a2unhashed);
$combined = $a1.':'.
$this->auth['nonce'].':'.
$this->auth['nc'].':'.
$this->auth['cnonce'].':'.
$this->auth['qop'].':'.
$a2;
$expectedResponse = md5($combined);
if(!isset($this->auth['opaque']) || $this->auth['opaque'] == $this->opaque) {
if($response == $expectedResponse) { // password is valid
if(!$this->stale) {
return true;
} else {
$this->drawLogin();
}
}
}
return false;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Field Documentation

Auth_HTTP::$auth = array()

Definition at line 123 of file HTTP.php.

Referenced by assignData().

Auth_HTTP::$authType = 'basic'

Definition at line 65 of file HTTP.php.

Auth_HTTP::$CancelText = "Error 401 - Access denied"

Definition at line 83 of file HTTP.php.

Referenced by drawLogin(), and getOption().

Auth_HTTP::$cookie

Definition at line 157 of file HTTP.php.

Auth_HTTP::$nextNonce = ''

Definition at line 131 of file HTTP.php.

Auth_HTTP::$nonce = ''

Definition at line 139 of file HTTP.php.

Referenced by _decodeNonce(), and _judgeStale().

Auth_HTTP::$opaque = 'dummy'

Definition at line 107 of file HTTP.php.

Auth_HTTP::$options = array()

Definition at line 91 of file HTTP.php.

Referenced by Auth_HTTP().

Auth_HTTP::$post

Definition at line 151 of file HTTP.php.

Auth_HTTP::$realm = "protected area"

Definition at line 74 of file HTTP.php.

Referenced by getOption(), and setRealm().

Auth_HTTP::$server

Definition at line 145 of file HTTP.php.

Auth_HTTP::$stale = false

Definition at line 99 of file HTTP.php.

Referenced by _judgeStale().

Auth_HTTP::$uri = ''

Definition at line 115 of file HTTP.php.

Referenced by selfURI().

The documentation for this class was generated from the following file: