DokuWiki

It's better when it's simple

User Tools

Site Tools


Sidebar

Translations of this page?:

Learn about DokuWiki

Advanced Use

Corporate Use

Our Community


Follow us on Facebook, Twitter and other social networks.

tips:htdigestauth

Setting up htdigest user identification

I have set up my DokuWiki in a domain that is protected by the server, to reach it users have to log in via an HTTP digest authentication. I have made an extension of the htaccess authentication backend to support digest-based authentication. You need to have the htaccess backend installed, and modify some core files for it to work.

Installation

  1. Follow the installation instructions for the htaccess class installation.

htdigest.class.php

Create a htdigest.class.php file in inc/auth/ directory with these contents:

<?php
/**
 * htdigest authentication backend
 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 * @author     Jesús A. Álvarez <zydeco@namedfork.net>
 * Version: 1.0
 * last modified: 2008-04-18 09:22
 *
 * Work based on the htaccess authentication backend:
 * @author     Samuele Tognini <samuele@cli.di.unipi.it>
 *
 * Work based on the plaintext authentication backend:
 * @author     Andreas Gohr <andi@splitbrain.org>
 * @author     Chris Smith <chris@jalakai.co.uk>
 * 
 * and on the .htaccess authentication backed:
 * @author     Marcel Meulemans <marcel_AT_meulemans_DOT_org>
 * Additions:  Sebastian S <Seb.S@web.expr42.net>
 *
 */
 
define('DOKU_AUTH', dirname(__FILE__));
require_once(DOKU_AUTH.'/htaccess.class.php');
 
define('AUTH_USERFILE',DOKU_CONF.'htusers.auth.php');
 
if(isset($_REQUEST['u']))
     $_REQUEST['u'] = cleanID($_REQUEST['u']);
     if(isset($_REQUEST['acl_user']))
     $_REQUEST['acl_user'] = cleanID($_REQUEST['acl_user']);
 
     class auth_htdigest extends auth_htaccess {
 
       var $users = null;
       var $_pattern = array();
 
       /**
	* Constructor
	* 
	* Calls the parent class' constructor, but we can't logoff using digest
	*
	* @author Jesús A. Álvarez <zydeco@namedfork.net>
	*/
       function auth_htdigest() {
	 $this->auth_htaccess();
	 $this->cando['logoff'] = false;
	 $this->cando['userLogout'] = false; // see template.php modification, will hide login/logout button
       }
 
 
       /**
	* Check user+password [required auth function]
	*
	* Checks if the given user exists
	*
	* @author  Jesús A. Álvarez <zydeco@namedfork.net>
	* @return  bool
	*/
       function checkPass($user='',$pass=''){
	 global $conf;
	 if (isset($_SERVER['PHP_AUTH_DIGEST'])) {
	   preg_match('/username="(?P<username>.*)"/U', $_SERVER['PHP_AUTH_DIGEST'], $digest);
	   $userinfo = $this->getUserData($digest['username']);
	   if ($userinfo === false) return false;
	   return true;
	 }else{
	   return false;
	 }
	 return false;
       }
      }
?>

htdigest.patch

These modifications will allow detection of users that are logged in via htdigest, and hide the login/logout button, as I can't find any reliable way to log out.

diff -aur inc.orig/auth.php inc/auth.php
--- inc.orig/auth.php	2008-04-18 09:16:46.000000000 +0000
+++ inc/auth.php	2008-04-17 22:37:01.000000000 +0000
@@ -60,9 +60,18 @@
       if (!isset($_REQUEST['r'])) $_REQUEST['r'] = '';
 
       // if no credentials were given try to use HTTP auth (for SSO)
-      if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE]) && !empty($_SERVER['PHP_AUTH_USER'])){
-        $_REQUEST['u'] = $_SERVER['PHP_AUTH_USER'];
-        $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW'];
+      if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE])){
+        if (!empty($_SERVER['PHP_AUTH_DIGEST']))
+        {
+          preg_match('/username="(?P<username>.*)"/U', $_SERVER['PHP_AUTH_DIGEST'], $digest);
+          $_REQUEST['u'] = $digest['username'];
+          $_REQUEST['p'] = md5($digest['username']); // FIXME why do we need this?
+        }
+        elseif (!empty($_SERVER['PHP_AUTH_USER']))
+        {
+          $_REQUEST['u'] = $_SERVER['PHP_AUTH_USER'];
+          $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW'];
+        }
       }
 
       // external trust mechanism in place?
diff -aur inc.orig/template.php inc/template.php
--- inc.orig/template.php	2008-04-18 09:16:46.000000000 +0000
+++ inc/template.php	2008-04-18 09:08:36.000000000 +0000
@@ -495,7 +495,7 @@
       print html_topbtn();
       return true;
     case 'login':
-      if($conf['useacl'] && $auth){
+      if($conf['useacl'] && $auth && $auth->cando['userLogout'] !== false){
         if($_SERVER['REMOTE_USER']){
           print html_btn('logout',$ID,'',array('do' => 'logout', 'sectok' => getSecurityToken()));
         }else{

Configuration

You must add this to your conf/local.php file:

$conf['authtype']       = 'htdigest';
 
if (!isset($_SESSION[$conf['title']]['auth']['info']) && (isset($_SERVER["PHP_AUTH_DIGEST"])))
{   // analyze the PHP_AUTH_DIGEST variable
    preg_match('/username="(?P<username>.*)"/U', $_SERVER['PHP_AUTH_DIGEST'], $digest);
    $_REQUEST['u'] = $digest['username'];
    $_REQUEST['p'] = md5($digest['username']); // FIXME why do we need this?
}

Optional settings

See optional settings in htaccess backend. htaccess_realm, htaccess_logout and htaccess_unauthurl don't apply.

Bugs

  • You can't log out
tips/htdigestauth.txt · Last modified: 2009-02-08 10:40 by 80.24.114.19