I'm using Apache "Auth" security to limit access to my web site (via commands in the .htaccess file, an .htpasswd file, etc).
Is there a way to de-authorize a user via my PHP script, effectively giving them a way to log out?
With that type of authentication, the username and password are actually send by the browser on every subsequent request. As there's no way to tell a browser "hey, stop sending those", there is no way to do what you're trying to do.
(If, however, you had a PHP script involved that was handling part of the authentication, you could set a session variable for flagging to ignore the valid authentication and pretend the user is logged out.)
However, in terms of a good solution, there is not one. The user will stay logged in until his or her browser decides to stop sending the headers (usually when the browser is closed).
<?
// this PHP will cause a logout event, and give the login prompt again
$AuthName='WHAT-EVER'; // must match AuthName in .htaccess.
header('HTTP/1.0 401 Unauthorized');
header('Content-type: text/html');
header('WWW-Authenticate: Basic realm="'.$AuthName.'"');
// now redirect them when they click cancel
// should be to a page with no password required.
// use an HTML meta redirect instead of HTTP
// so it runs after the auth is cancelled.
?>
<html><head><meta http-equiv='refresh' content='0;../'></head></html>
Is this what you're looking for?
http://www.php.net/manual/en/features.http-auth.php#99348
Related
We are currently implementing keycloak and we are facing an issue that we are not sure what’s the best way to solve it.
We have different webapps making use of the sso and that’s working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp.
Initially this second webapp does not know which user is coming (and it’s not necessary to be logged in to make use of it). When clicking on “login”, it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens “transparently” to the user, since the redirection to keycloak is very fast and it’s not noticeable. This behaviour is not very user friendly.
The question is: Taking into account that this second webapp can’t know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients.
Thanks in advance!
In the mail listing from keycloak, they gave me a good solution but for version 4:
in admin console, go to Authentication
make a copy of Browser flow
in this new flow, disable or delete Cookie
go to Clients -> (your client) -> Authentication Flow Overrides, change Browser Flow to your new flow, click Save."
Use logout endpoint as a default login button action in your app and redirect uri param use for login page, where you use your specific client (of course you need proper URI encoding):
https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/auth?client_id=client_id&redirect_uri=.....&other_params....
=> user will be logged out and then it will be redirected to the login page
I'm attempting to send data to an endpoint over POST and am running into an issue with the page since its protected by apache's htpasswd file. I am willing to have the user login to go to the page, however the issue is that with the ajax request that isnt happening. the login box does not show, so im unable to get it to log in. Im using angular 5 and the HTTPClient from #angular/common/http.
If you take the username and password and use the function btoa() to encode it, then send it off in the authorization header with every get and post, it solves the issue.
example:
header.set("Authorization", "Basic " + btoa("username:password));
Experts,
I have to implement authentication mechanism same as how author instance works. For example, if any user request for any page http:somehost:someport/content/geometrixx/en.html then system should open the page http:somehost:someport/content/geometrixx/en/toolbar/account/login.html and only after successful login sling should redirect to required page.
I looked into Login Selector Authentication Handler and Sling Authentication Service but it seems there is no configuration here. Could you please let me know your thoughts on how to proceed on this? How it will be possible without CUG and how similer mechanism works in Author instance?
Goto http:somehost:someport/useradmin search for anonymous user. click on the anonymous user -> click on permission tab -> remove the read permission on the path that shouldn't be accessible to anonymous users.
If you just want to redirect to the login page if the user is unauthenticated then you will have to do 2 things.
1. Go to /system/console and navigate to the Configuration. Select "Apache Sling Authentication Service". Disable Anonymous access.
2. Go to /libs/cq/security/config.publish/LoginSelectorHandler - Change the login page to the page you want.
Might there be a way to set one's .htaccess file to prompt for authentication each time? Example: I open a browser tab, go to the pw protected url, I'm prompted for a pw. Close the tab (main browser still open) and repeat the above and be prompted for the pw again. This is not happening unless I close the browser. Maybe this is a caching thing?
Here's what I have so far:
AuthType Basic
AuthName "myName"
AuthUserFile "/home/myDir/.htpasswds/public_html/myName/passwd"
require valid-user
Thanks in advance.
Actually it is working this way (simplified):
browser sends request to your server without credentials
Apache responses with 403 error because "require valid-user" was specified
browser prompts for username & password
browser sends request again, this time credentials are provided
Apache verifies credentials against AuthUserFile and sets "valid-user" accordingly
if everything is OK - puts out data with 200 status code
browser that receives 200 code caches used credentials for the relevant domain until browser session expires
As you see - problem lays in browser. You cannot force browser to forget password it uses for a domain. And usually you don't want to - for example if password protected page contains images - browser would require username and password for each downloaded image.
However there are some tips you could try:
you could write your own Apache authorization handler that only authorises user every second time it is accessing the page; but it's hard to do really
you could use some kind of form-based authentication (in script like php or asp.net) instead of relying on http authentication; this way is quite flexible
you could do a trick, that every time a protected page is accessed some kind of script changes the password in passwd file; then provide two passwords for each user and switch them on each request; this way browser always remember "wrong" password; it seems crazy but this is an easiest solution I could think of :-)
Is there a way using Java to over-ride the browser authentication dialog box when a 401 message is received from the web server? I want to know when this dialog is being displayed, and instead of it being given to the user, I fill in the credentials for them.
Overview of application:
i wrote the web server, so essentially i want to stop someone from opening an external browser and putting in the localhost and port to gain access to the data being displayed. my app has an embedded web browser linked to my written server. the browser displays decrypted content, so if i force the auth (even for my embedded browser), an external browser would need credentials. if my embedded browser is trying to access the files, i supply the credentials for the user and display the content
If you don't care about the password showing you can construct the URL so it passes the credentials ex. http://username:password#www.example.com This will by pass the authentication box but will show the user the credentials so also might not be what you are looking for.
SWT 3.5M6 has a new listener within it call AuthenticationListener. It simply listens for authentication event passed from the server and is fired. The code below is what performs the behavior I wanted. It waits for the auth, and if the host is my application, it passes back the credentials. Of course fill in the USER_NAME, PASSWORD and HOST_NAME with appropriate variables. Otherwise it lets the browser auth dialog pop up and makes the user enter the credentials. This code can also be found in the Eclipse SWT snippets page:
webBrowser.addAuthenticationListener(new AuthenticationListener()
{
public void authenticate(AuthenticationEvent event) {
try {
URL url = new URL(event.location);
if (url.getHost().equals(HOST_NAME))
{
event.user = USER_NAME;
event.password = PASSWORD;
}
else
{
/* do nothing, let default prompter run */
}
} catch (MalformedURLException e) {
/* should not happen, let default prompter run */
}
}
});
your question is a bit unclear. The whole basic authentication is based on HTTP Headers.
If the browser gets an authorization header than it displays the dialog. The content from the dialog is then send back to the server. There is nothing special about it. It iser username:password in base64 encoded. Have a look at
wikipedia
The problem is how you want to interfere. You would have to capture the authorization header and then for the next request you have to alter the HTTP header to include the credentials.
hope that helps
I think this is mostly browser-dependent behavior and what the server reports to the browser.
For example, Internet Explorer, being a Microsoft product, directly supports automatic sending of Windows credentials (you can modify this behavior in your Internet Settings) after an anonymous request fails in a 401.
Firefox, for example, does not and will always prompt the user even if it was set to remember the id and password via the password manager. IE will also prompt if auto-login fails (such as your Windows credentials still result in a 401 because you're id isn't allowed).
I don't think, as a web developer, you have much control over this besides setting up your server and app to work in the most expected and harmonious way... if you could, this might get into black hat territory.
If you want to control what is displayed to the user for authentication, you can change the auth-method in the login-config section of the web.xml from BASIC to FORM.
Then you can specify what page should be displayed when the user is authenticating, and, I suppose, pre-fill the credentials for them...but doesn't this defeat the whole purpose of security?
Setting up Authentication for Web Applications
Edit after further details:
My only suggestion would be to change the auth-method to CLIENT-CERT and require two-way SSL, where the client is also required to present a certificate to the server. If you install the certificate into your embedded browser (and make sure external browsers can't get the certificate) then you should be OK. And actually this should stop any authentication dialog from being displayed.