一起使用CakePHP表单和基本身份验证 [英] Using CakePHP Form and Basic Authentication together

问题描述

我已经使用CakePHP 3.8和Authentication 1.0创建了一个简单的测试站点，以进行试用.我希望同时使用Form和Basic身份验证，因为预期的应用程序将提供REST调用.

I've created a simple test site using CakePHP 3.8 and Authentication 1.0 to try it out. I'd like to use both Form and Basic authentication since the intended app will offer REST calls.

如果不包含HttpBasic，则站点将正常运行，即显示登录"窗口.但是，使用HttpBasic，该站点可以直接进行基本身份验证.

The site works properly if the HttpBasic is not included, that is the Login window is displayed. However, with HttpBasic, the site goes directly to basic authentication.

代码直接来自食谱.

我想念什么?

    public function getAuthenticationService(ServerRequestInterface $request, ResponseInterface $response)
{
    $service = new AuthenticationService();

    $service->setConfig([
            'unauthenticatedRedirect' => '/users/login',
            'queryParam' => 'redirect'
    ]);

    $fields = [
        'username' => 'user',
        'password' => 'password',
    ];

    // Load Identifiers
    $service->loadIdentifier('Authentication.Password', compact('fields'));

    // Load the authenticators
    $service->loadAuthenticator('Authentication.Session');
    $service->loadAuthenticator('Authentication.Form', [
            'fields' => $fields,
            'loginUrl' => '/users/login',
    ]);
    $service->loadAuthenticator('Authentication.HttpBasic');

    return $service;
}

推荐答案

如注释中所述，将表单身份验证器和HTTP基本身份验证器一起使用不能很好地工作，这是由于身份验证服务除非其中之一返回表明成功认证的响应，否则不会停止执行所有已加载的认证器.

As mentioned in the comments, using the form authenticator and the HTTP basic authenticator together won't work overly well, this is due to the fact that the authentication service won't stop executing all loaded authenticators, unless one of them returns a response that indicates successful authentication.

这意味着将始终向您提供身份验证质询响应，而永远不会看到您的登录表单.只有实际的身份验证部分才能在该星座中使用，即直接将您的登录凭据作为表单数据发送到登录端点.

This means that you'd always be presented with the authentication challenge response, and never see your login form. Only the actual authentication part would work in that constellation, ie directly sending your login credentials as form data to the login endpoint.

如果您实际上并不需要阻止您访问登录表单的基本auth质询响应，则可以使用不导致返回质询响应的自定义/扩展身份验证器，应为简单，就像覆盖 \ Authentication \ Authenticator \ HttpBasicAuthenticator :: unauthorizedChallenge():

If you don't actually need the basic auth challenge response that is preventing you from accessing the login form, then you could use a custom/extended authenticator that doesn't cause a challenge response to be returned, which should be as simple as overriding \Authentication\Authenticator\HttpBasicAuthenticator::unauthorizedChallenge():

src/Authenticator/ChallengelessHttpBasicAuthenticator.php

namespace App\Authenticator;

use Authentication\Authenticator\HttpBasicAuthenticator;
use Psr\Http\Message\ServerRequestInterface;

class ChallengelessHttpBasicAuthenticator extends HttpBasicAuthenticator
{
    public function unauthorizedChallenge(ServerRequestInterface $request)
    {
        // noop
    }
}

$service->loadAuthenticator(\App\Authenticator\ChallengelessHttpBasicAuthenticator::class);

如果您的应用程序使用身份验证组件的 setIdentity()方法，即使在使用无状态身份验证器的情况下，也会导致身份保留在会话中，因此您可能还需要添加其他检查.如果您不希望这样做，则需要在设置身份之前测试成功的身份验证器是否为无状态:

Also not that you might need to add additional checks in case your application uses the authentication component's setIdentity() method, which would cause the identity to be persisted in the session, even when using stateless authenticators. If you don't want that, then you'd need to test whether the successful authenticator is stateless before setting the identity:

$provider = $this->Authentication->getAuthenticationService()->getAuthenticationProvider();
if (!($provider instanceof \Authentication\Authenticator\StatelessInterface))
{
    $this->Authentication->setIdentity(/* ... */);
}

这篇关于一起使用CakePHP表单和基本身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！