Cakephp 3 摘要认证
Cakephp 3 Digest authentication
我试图通过 cakephp 3 使用摘要式身份验证来构建可扩展的系统。仅在需要时要求客户端输入密码,但输入的详细信息不允许访问,而是再次弹出请求凭据的对话框。非常感谢任何建议或帮助!
AppController::initialize()
$this->loadComponent('Auth', [
'authenticate' => [
'Digest' => [
'fields' => ['username' => 'username', 'password' => 'password_hash'],
'userModel' => 'Users',
'finder' => 'auth'
],
],
'authError' => 'incorrect username or password',
'storage' => 'Memory',
'unauthorizedRedirect' => false
]);
用户表:
public function beforeSave(\Cake\Event\Event $event)
{
$entity = $event->data['entity'];
// Make a password for digest auth.
$entity->password_hash = DigestAuthenticate::password(
$entity->username,
$entity->plain_password,
env('SERVER_NAME')
);
$entity->created = Time::now();
return true;
}
public function findAuth(\Cake\ORM\Query $query, array $options)
{
$query
->select(['id', 'username', 'password_hash']);
return $query;
}
编辑:从实体中删除了代码
我决定深入研究 digest getuser 函数 (Function code) 并将一些数据输出到我未经授权的页面,这样我就可以看到发生了什么。
$Password: 8a3575d301f04f08dd461f93e3d55a21
$digest[username]: James
$digest['response']: 4fa261678c753da8e78e4bf98057fd72
$hash: a627c3e68061937e454c321d55e986d3
$request->env('ORIGINAL_REQUEST_METHOD'): GET
只需从实体中删除 _setPassword 函数。密码将被散列,稍后将在 DigestAuthentication 上使用此散列,而不是所需的明文。
我还会重构并从 beforeSave 中删除密码创建并将其放入类似于您现在对 passwordHasher 所做的操作的实体...
请记住,在这种情况下,您需要更新 _setUsername 和 _setPassword 上的摘要!
好吧,事实证明我犯了一个非常愚蠢的错误!
变化:
$entity->password_hash = DigestAuthenticate::password(
$entity->username,
$entity->password_hash, // was plain_password which was not in my model!
env('SERVER_NAME')
);
我试图通过 cakephp 3 使用摘要式身份验证来构建可扩展的系统。仅在需要时要求客户端输入密码,但输入的详细信息不允许访问,而是再次弹出请求凭据的对话框。非常感谢任何建议或帮助!
AppController::initialize()
$this->loadComponent('Auth', [
'authenticate' => [
'Digest' => [
'fields' => ['username' => 'username', 'password' => 'password_hash'],
'userModel' => 'Users',
'finder' => 'auth'
],
],
'authError' => 'incorrect username or password',
'storage' => 'Memory',
'unauthorizedRedirect' => false
]);
用户表:
public function beforeSave(\Cake\Event\Event $event)
{
$entity = $event->data['entity'];
// Make a password for digest auth.
$entity->password_hash = DigestAuthenticate::password(
$entity->username,
$entity->plain_password,
env('SERVER_NAME')
);
$entity->created = Time::now();
return true;
}
public function findAuth(\Cake\ORM\Query $query, array $options)
{
$query
->select(['id', 'username', 'password_hash']);
return $query;
}
编辑:从实体中删除了代码
我决定深入研究 digest getuser 函数 (Function code) 并将一些数据输出到我未经授权的页面,这样我就可以看到发生了什么。
$Password: 8a3575d301f04f08dd461f93e3d55a21
$digest[username]: James
$digest['response']: 4fa261678c753da8e78e4bf98057fd72
$hash: a627c3e68061937e454c321d55e986d3
$request->env('ORIGINAL_REQUEST_METHOD'): GET
只需从实体中删除 _setPassword 函数。密码将被散列,稍后将在 DigestAuthentication 上使用此散列,而不是所需的明文。
我还会重构并从 beforeSave 中删除密码创建并将其放入类似于您现在对 passwordHasher 所做的操作的实体... 请记住,在这种情况下,您需要更新 _setUsername 和 _setPassword 上的摘要!
好吧,事实证明我犯了一个非常愚蠢的错误! 变化:
$entity->password_hash = DigestAuthenticate::password(
$entity->username,
$entity->password_hash, // was plain_password which was not in my model!
env('SERVER_NAME')
);