My favorites | Sign in
Project Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
Search
for
Updated Nov 02, 2009 by evertpot
Labels: Phase-Implementation, Featured
Authentication  
Setting up authentication.

Summary

Now you have your own WebDAV server, you'll probably want to add some security. WebDAV authentication is done using HTTP Basic or Digest authentiation (RFC2617). Although it's not very difficult to roll your own, SabreDAV does come with some tools to make it easy to implement.

Basic Auth

// Including the library
require_once 'Sabre.includes.php';

$u = 'admin';
$p = '1234';

$auth = new Sabre_HTTP_BasicAuth();

$result = $auth->getUserPass();

if (!$result || $result[0]!=$u || $result[1]!=$p) {

    $auth->requireLogin();
    echo "Authentication required\n";
    die();

}

If you execute this code before calling Sabre_DAV_Server::exec(), things should just work.

getUserPass returns an array with 2 values. The first value is the username, the second is the password.

If no username or password were supplied at all, this method will return false.

Basic auth is very simple, but the username and password will be sent in plain text over the wire. Digest auth is therefore recommended instead.

Digest Auth

// Including the library
require_once 'Sabre.includes.php';

$u = 'admin';
$p = '1234';

$auth = new Sabre_HTTP_DigestAuth();
$auth->init();

if ($auth->getUsername() != $u || !$auth->validatePassword($p)) {

    $auth->requireLogin();
    echo "Authentication required\n";
    die();

}

As you can see the format is slightly different. The client actually generates a hash based on the password. This means we cannot find out what the password was. We can only apply the same hash on the server and compare the result (hence 'validatePassword').

Based on this example it could be required to store the password on the server or database. This is generally considered a bad practice. The better thing to do is to actually store the hash and use the following format: 

// Including the library
require_once 'Sabre.includes.php';

$u = 'admin';
$p = '1234';

$realm = 'MyWebdavServer';

$hash = md5($u . ':' . $realm . ':' . $p);

$auth = new Sabre_HTTP_DigestAuth();
$auth->setRealm($realm);
$auth->init();

if ($auth->getUsername() != $u || !$auth->validateA1($hash)) {

    $auth->requireLogin();
    echo "Authentication required\n";
    die();

}

Comment by risto.kowaczewski, Nov 17, 2009

How do I get who is logged-in in my virtual file system? I would like to save this information to database.

Comment by evertpot, Nov 17, 2009

Risto, if you wrote your own classes for your VFS, you should simply pass the username as a constructor, or otherwise.

Please ask followup questions on the mailing list


Sign in to add a comment
Hosted by Google Code