Im new to Zend and to LDAP so I've got real stack overflow...
What I have:
LDAP-server
Apache-server
Zend-application
What I need:
On any page of the app while user is
not authorized show Apache's
basic-auth prompt
If login and
password are correct on LDAP-server then
redirect to index-controller.
I've read tons of manuals about Zend_Auth, about authnz_ldap_module etc but couldnt solve the given task.
Any help - examples, solutions, links - would be highly appreciated!
AuthType basic
AuthName "Secure Login"
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ldap.example.com/ou=People,dc=exmaple,dc=com?uid?sub".
Add that to your directory directive this will cover your need for ldap auth. But you still will need to figure how to redirect freshly coming visitor to index, probably cookies.
I recently worked through the whole ACL process and am happy with the result. Here's what I implemented:
Extend Zend_ACL and use its constructor to add your roles (including inheritance relationships).
Create an action helper which is loaded in the bootstrap. (You need to load it early so that you can make use of its hooks such as preDispatch).
Edit the init() of each controller that you want to protect and call the new ACL helper, passing in the rules that you want applied to this controller, e.g: allow('member', 'edit);
The real work is done by the action helper. It has four functions:
init() - Instantiates your new ACL class, then adds a new resource which mirrors the name of the current controller, ie. $this->_resource = $this->getRequest()->getControllerName()).
preDispatch() - Gets the current user type using Zend_Auth (or assigns a default of guest where user is not logged in). Checks if the request is allowed using the ACL, i.e. $this->_acl->isAllowed($currentRole, $resource, $action). Note that the requested action becomes the ACL privilege.
allow() - This just proxies through to the allow() function on the ACL object. It's called by the controller constructor to set the rules in the ACL.
deny() - As for allow.
So, at runtime, the series of events is as follows:
action helper is loaded in the bootstrap. This a) instantiates the custom ACL object, which sets its own roles, then b) adds the current controller name as a resource.
Controllers init() is run. It calls the helper's allow() and deny() methods to set the rules.
The helper's preDispatch() is run, and if !isAllowed(), the user is redirected.
I was auth'ing against a DB, but the same logic would apply if you were using LDAP. (Is Apache's basic auth-prompt the default challenge in this case? If not, that may add an additional complication).
I adapted this from the book by Rob Allen (Zend Framework in Action), and various other sources. Note that some Zend professionals recommend an ACL based on Models (not Controller Actions). I'll give this some thought too down the track.
One particularly handy aspect of the above approach is that it's really easy to maintain ACL rules on an ongoing basis. While you are working on a particular controller you set up its ACL rules in the init().
Related
What is the best way to password-protect a folder on IIS with a single set of credentials to be shared by a group of users?
Our hosting service offers Plesk, which in turn offers a "password-protected directory" function, but some of our clients have HTTP authorization disabled, so they get an automatic 401.4 error with no prompt for credentials.
I've looked into Forms authentication but this seems cumbersome to set up for the numerous separate domains at issue.
The protected content is not super sensitive, we just don't want it easily accessible to the public. Many of our users do not use the site frequently and we don't want to implement individual credentialing for everyone (we do have that in place for more sensitive sections) just so they can view current project reports or meeting minutes.
On sites I don't control, but am just a user, that do the same things as mine, it is a big pain to have to look up a username and password twice per year just to view a meeting agenda (yes, browser could remember but they also have a 4-month expiration and lots of us are on different devices all the time).
Is Forms authentication the way to go? Took a several hours for me to get it set up and working, with all sorts of settings not well documented in a single place.
(I had previously asked about how to disable Basic Auth on the client side, was told more than once it's not possible - but it is, via client/browser registry keys)
Thanks.
It's perfectly fine to use forms authentication. All you need to do is navigate to the folder or file you want to protect, then go to Authorization Rules. Add a deny rule for anonymous users, when users who are not logged in try to click on any file in that folder, they will be redirected to your login page. You can find a lot of guides on forms authentication in Google, you can refer to the following:
https://learn.microsoft.com/zh-CN/troubleshoot/developer/webapps/aspnet/development/forms-based-authentication
https://learn.microsoft.com/en-us/iis/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline
Good morning everyone,
I am developing an app for QNAP which has also a web interface. In my qpkg.conf I set QPKG_WEBUI and QPKG_USE_PROXY and I can see correctly the Web interface inside the QNAP interface once I am logged in. It seems perfectly integrated with the QNAP interface, BUT, I can see it also writing the right url in my web browser, even if I am not logged in the QNAP and I cleared all possible cache/cookies.
I want to give access to my Web interface only to valid users. Unfortunately I do not know how to do it. I tried to write a .htaccess to deploy with my application, but without any success (obviously I can not modify the apache standard configuration, and with the standard configuration I was not able to do it).
The only thing I found, inside the Apache folder, there is a pwauth executable that let me ask for username/password (even if I do not want to ask, I want only to see if the user is ALREADY logged in). Anyway with the standard apache configuration, the external module is not loaded, then I can not use the pwauth inside the .htaccess. Maybe I could create some custom cgi program that call it, but I would prefer to avoid custom solution, I really would like to follow a "standard" way to do it, it should be one.....
I would like to know if there is some QNAP variable to set in the qpkg.conf file, or some configuration to set in a .htaccess that does what I want: grant the access only if the user is ALREADY logged in.
Thanks very much to everyone, I could not find anything in google or in the official documentation.
We are trying to allow our business users to be able to verify a new site's production look and feel as well as to allow a select group of internal users to be able to view new sites that are authored and created in AEM.
One idea, is to set up a Launch Page that the general public would see, and for the pilot group, they would set a cookie in their browser to be able to see the pilot site.
We have looked into VHosts settings, but can't spot anything, and are thinking perhaps a conditional pass through rule based on the cookie in the header as being the easiest approach?
Any thoughts would be greatly appreciated.
I'm trying to embed JasperServer into a web application and I like the look and feel of JasperServer's interface as is. I just want to override JasperServer's ACL engine and divert it so it will use my own application's instead.
For starters, if the user is already authenticated in the host web application, JasperServer shouldn't ask for it one more time. More over, whenever JasperServer is trying to decide whether to show or not some part of the interface, it should be the host application's ACL data to grant or deny the permission. The same goes for the list of reports one user can use.
Can someone please guide me to the right direction if and how this is possible?
Okay I'm a little confused on how to do this due to the fact that I'm new to Joomla.
I have a site where users need to be logged in to view certain articles. I want restricted articles to basically pick up weather or not the user is logged in, if so proceed as normal, else display a login/registration form.
I looked at the plugins section and found a "Joomla-Authentication" plugin. Now, how do I use that in an article in the same fashion I use other plugins in article? i.E {plugin_name}params{/plugin_name}
NO... You do not need plugin for this AT ALL.
In Joomla you have "Access Type" for modules/articles/pretty much everything.
Public - Visitors
Registered - logged in users
Special - back-end users
In Back-End go to Modules and create new Log-In module. In the access type selected "Public".
When you create articles select "Registered Access" this way only signed-in users will see the article.
This will help you. Log-In the admin Back-End (Administrator Screen), go to Help->Joomla Help. In the Alphabetical Index find following topics:
Module Manager (it explains access types)
Module - New
Article Manager (it explains access types)
Article Manager - New/Edit
I found a solution that works for me. I downloaded and installed JUMI. Jumi is a Joomla extension that allows you to include files such as php and then executes the code in those files. Through PHP I check user access and do redirects accordingly.
JUMI can be downloaded here