CakePHP安全组件blackholing login（data [_Token] [key]字段未生成） [英] CakePHP security component blackholing login (data[_Token][key] field not generated)

问题描述

当我尝试登录时，请求通过安全组件黑屏。

我有一个简单的登录表单

 < div class =container container-login> 
< h2><？php echo __（'Login'）; ？>< / h2> 
< div class =wrap-form-signin> 
<？php 
 echo $ this-> Form-> create（'User'，array（'action'=>'login'，'class'=>'form-signin '））; 
 echo $ this-> Form-> input（'username'，array（'label'=>''，'placeholder'=> __（'Email'）））; 
 echo $ this-> Form-> input（'password'，array（'label'=>''，'placeholder'=> __（'Password'）））; 
 echo $ this-> Form-> submit（__（'Login'））; 
 echo $ this-> Form-> end（）; 
？> 
< / div> 
< / div> 
  

控制器操作如下：

  public function login（）{
 if（$ this-> request-> is（'post'））{
 if（$ this-> Auth-> login（））{
 return $ this-> redirect（$ this-> Auth-> redirectUrl（））; 
} else {
 $ this-> Session-> setFlash（__（'Username或password is incorrect'），'default'，array（），'auth'）; 
} 
} 
} 
  

c>安全组件包含在 AppController

  public $ components = array（'Security'，...）; 
  

在error.log中我得到：

  2013-03-29 13:40:58错误：[BadRequestException]请求已被黑洞
请求URL：/ users / login 
堆栈跟踪：
＃0 C：\wamp\www\cdx\lib\Cake\Controller\Component\SecurityComponent.php（234）：SecurityComponent-> blackHole（Object（UsersController）， 'auth'）
＃1 [internal function]：SecurityComponent-> startup（Object（UsersController））
＃2 C：\wamp\www\cdx\lib\Cake\\ \\ utility\ObjectCollection.php（131）：call_user_func_array（Array，Array）
＃3 [internal function]：ObjectCollection-> trigger（Object（CakeEvent））
＃4 C：\wamp \www\cdx\lib\Cake\Event\CakeEventManager.php（247）：call_user_func（Array，Object（CakeEvent））
＃5 C：\wamp\www\cdx \lib \Cake\Controller\Controller.php（670）：CakeEventManager-> dispatch（Object（CakeEvent））
＃6 C：\wamp\www\cdx\lib\\ \\Cake\Routing\Dispatcher.php（183）：Controller-> startupProcess（）
＃7 C：\wamp\www\cdx\lib\Cake\Routing\Dispatcher .php（161）：Dispatcher-> _invoke（Object（UsersController），Object（CakeRequest），Object（CakeResponse））
＃8 C：\wamp\www\cdx\app\webroot \index.php（92）：Dispatcher-> dispatch（Object（CakeRequest），Object（CakeResponse））
＃9 {main} 
  

我如何找到什么使我的请求进入黑洞？

当我试图使用自定义黑洞处理程序，错误的类型是 auth 。

我的版本CakePHP是2.3.1

编辑：
登录工作良好，没有 Security 组件。将它添加到 AppController 后，登录停止工作。

EDIT2：

EDIT3 THE SOLLUTION的任何 data [_Token] [key] ：
我的团队中有人覆盖了HTMLHelper类，并且在_tags数组中错过了hiddenblock，导致缺少_Token字段。

解决方案

您添加的顺序是什么组件？安全组件应该在 startup（）：

$之前处理表单数据的其他组件之前 b $ b

如果你使用安全组件的表单保护功能和其他组件在其startup（）回调中处理表单数据，请务必将安全组件放在$ components数组中的那些组件之前。

安全

由于AuthComponent 处理 startup（） ，我认为这是适用的，因此请确保SecurityComponent 在$ components数组中的 AuthComponent之前;

  public $ components = array（
'Security'，
'Session'，
'Auth'=> array（
 // auth component settings 
）
）; 
  

更新

作为由OP张贴明确，这个问题无法回答。事实证明，团队中的某人对HtmlHelper进行了修改，导致它不能输出隐藏块，因此不会输出CSRF令牌。

在正常情况下，您应该永远对CakePHP框架文件本身进行修改。

为什么修改CakePHP文件是坏

em>

例如，考虑一辆汽车。如果机械师不喜欢设计，并且决定交换制动和加速踏板，该怎么办？

当然，仍然能够驱动如果您知道此修改。但是，没有这个重要的信息，任何其他驱动程序肯定会崩溃（并想知道发生了什么！）

如果框架的默认行为不适合您的需要，请扩展这些类。不要修改框架文件本身（除非真的不是其他选项）。如果对框架的修改是绝对必要的，一定要与团队讨论这个问题，并对所做的更改写文档。

请记住将不再可能将框架更新到更新的版本，而不会对更新的版本应用相同的修改。

此外，如果覆盖或修改CakePHP，您也可以更新CakePHP并销毁您的修改。确保覆盖与CakePHP的默认行为兼容，并且CakePHP的单元测试仍然可以正确运行（或为修改创建新的单元测试）

使用'customized 'CakePHP中的助手

如果您需要自定义CakePHP助手（或其他组件），有多种选择，无需修改CakePHP文件;

1。扩展帮助器

  class AwesomeHtmlHelper extends HtmlHelper {
 / ** 
 *方法，在'thead'标签中输出tableHeaders 
 * 
 * {@inheritdoc} 
 * / 
 public function tableHeaders（array $ names，array $ trOptions = null，array $ thOptions = null）
 {
 $ output = parent :: tableHeaders（$ names，$ trOptions，$ thOptions）; 
 return'< thead>'。 $ output。 '< / thead>'; 
} 
} 
  

然后，以常规方式使用您的助手： p>

  echo $ this-> AwesomeHtml-> tableHeaders（array（'Date'，'Title'，'Active'）） 
  

2。 'Drop-in'替换 - 使用别名（CakePHP> 2.3）

自CakePHP 2.3开始，可以为Helper使用别名。此功能可用于应用程序中存在（例如）两个具有相同名称的助手（例如Plugin.HtmlHelper）的情况。

此外，一个CakePHP助手与你自己的助手。请参阅此处的文档：使用和配置助手

请注意，这将覆盖您应用中的帮助器！
$ b

  public $ helpers = array（
'Html'=&array; array（
'className'=>'AwesomeHtml'
）
）; 
  

现在， $ this-> Html 将实际引用您的视图中的 AwesomeHtmlHelper ：

  echo $ this - > eHtml-> tableHeaders（array（'Date'，'Title'，'Active'））; 
  

将输出您的增强型表格标题

When I try to login, the request gets blackholed by teh Security component. How can I make it work right?

I have a simple login form

  <div class="container container-login">
    <h2><?php echo __('Login'); ?></h2>
    <div class="wrap-form-signin">
    <?php
    echo $this->Form->create('User', array('action' => 'login', 'class' => 'form-signin'));
    echo $this->Form->input('username', array('label' => '', 'placeholder' => __('Email')));
    echo $this->Form->input('password', array('label' => '', 'placeholder' => __('Password')));
    echo $this->Form->submit(__('Login'));
    echo $this->Form->end();
    ?>
    </div>
</div>

The controller action goes like this:

public function login() {
        if ($this->request->is('post')) {
            if ($this->Auth->login()) {
                return $this->redirect($this->Auth->redirectUrl());             
            } else {
                $this->Session->setFlash(__('Username or password is incorrect'), 'default', array(), 'auth');
            }
        }
}

And the Security component is included in AppController

public $components = array('Security', ... );

In the error.log I get:

2013-03-29 13:40:58 Error: [BadRequestException] The request has been black-holed
Request URL: /users/login
Stack Trace:
#0 C:\wamp\www\cdx\lib\Cake\Controller\Component\SecurityComponent.php(234): SecurityComponent->blackHole(Object(UsersController), 'auth')
#1 [internal function]: SecurityComponent->startup(Object(UsersController))
#2 C:\wamp\www\cdx\lib\Cake\Utility\ObjectCollection.php(131): call_user_func_array(Array, Array)
#3 [internal function]: ObjectCollection->trigger(Object(CakeEvent))
#4 C:\wamp\www\cdx\lib\Cake\Event\CakeEventManager.php(247): call_user_func(Array, Object(CakeEvent))
#5 C:\wamp\www\cdx\lib\Cake\Controller\Controller.php(670): CakeEventManager->dispatch(Object(CakeEvent))
#6 C:\wamp\www\cdx\lib\Cake\Routing\Dispatcher.php(183): Controller->startupProcess()
#7 C:\wamp\www\cdx\lib\Cake\Routing\Dispatcher.php(161): Dispatcher->_invoke(Object(UsersController), Object(CakeRequest), Object(CakeResponse))
#8 C:\wamp\www\cdx\app\webroot\index.php(92): Dispatcher->dispatch(Object(CakeRequest), Object(CakeResponse))
#9 {main}

How can I find what is making my request go to black hole?

When I tried to use a custom blackhole handler, the type of the error was auth. But that's all the information I can get

My version of CakePHP is 2.3.1

EDIT: The login works well without the Security component. After adding it to the AppController, the login stops working.

EDIT2: I don't have any data[_Token][key] fields in the form

EDIT3 THE SOLLUTION: Someone from my team has overriden the HTMLHelper class and it missed "hiddenblock" in the _tags array, which resulted in missing _Token fields. For details, see mine and thaJeztah's answers along with the comments bellow them

解决方案

In what order did you add your components? The security-component should be put before other components that handle form-data in their startup():

"If you are using Security component’s form protection features and other components that process form data in their startup() callbacks, be sure to place Security Component before those components in your $components array."

Security

Because the AuthComponent does handle form data inside the startup(), I think this applies, so be sure that the SecurityComponent is before the AuthComponent in your $components array;

public $components = array(
    'Security',
    'Session',
    'Auth' => array(
        // auth component settings
    )
);

Update

The 'final' answer as posted by the OP made clear that this question could not have been answered. as it turned out, somebody in the team made modifications to the HtmlHelper, causing it to not output 'hidden' blocks, and therefore not outputting the CSRF token.

In normal situations, you should never make modifications to the CakePHP Framework files themselves. CakePHP offers ways to override its functionality (including Helpers) without modifying the 'core' CakePHP files.

Why modifying CakePHP files is bad

Consider, for example, a car. What if a mechanic didn't like the design and decided to 'swap' the brake and accelerator pedals?

Of course, the car is still able to drive if you we're aware of this modification. However, without this important information, any other driver would definitely crash (and wonder what the heck just happened!?)

If the default behavior of the framework doesn't fit your needs, extend those classes. Do not modify the framework files themselves (unless there really is no other option). If modifications to the framework are absolutely nescessary, be sure to discuss this with the team and write documentation on the changes that have been made.

Keep in mind that it will no longer be possible to update the framework to a newer version, without applying the same modifications to the updated version as well. Again, if the changes have not been documented, somebody might update CakePHP and destroy your modifications.

Also, if you override or modify CakePHP, make sure that the overrides are compatible with the default behavior of CakePHP and the unit tests of CakePHP still run correctly (or create new Unit Tests for the modifications)

Using 'customised' Helpers in CakePHP

If you need to customise the CakePHP Helpers (or other components), there are various options to do so without modifying the CakePHP files;

1. Extend the Helper

class AwesomeHtmlHelper extends HtmlHelper {
    /**
     * enhanced tableHeaders method, outputs tableHeaders in a 'thead' tag
     *
     * {@inheritdoc}
     */
    public function tableHeaders(array $names, array $trOptions = null, array $thOptions = null)
    {
        $output = parent::tableHeaders($names, $trOptions, $thOptions);
        return '<thead>' . $output . '</thead>';
    }
}

Then, use your Helper the regular way:

echo $this->AwesomeHtml->tableHeaders(array('Date', 'Title', 'Active'));

2. 'Drop-in' replacement - use an alias (CakePHP > 2.3)

Since CakePHP 2.3 its possible to use an alias for a Helper. This functionality can be used in situations where (for example) two Helpers with the same name exist in your Application (e.g. Plugin.HtmlHelper).

Also, this allows you override a CakePHP Helper with your own Helper. See the documentation here: Using and Configuring Helpers

Be aware that this will override the Helper everywhere in your application!

public $helpers = array(
    'Html' => array(
        'className' => 'AwesomeHtml'
    )
);

Now, $this->Html will actually refer to the AwesomeHtmlHelper in your views:

echo $this->eHtml->tableHeaders(array('Date', 'Title', 'Active'));

Will output your 'enhanced' table headers

这篇关于CakePHP安全组件blackholing login（data [_Token] [key]字段未生成）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！