|
Authentication
Setting up authentication.
SummaryNow you have your own WebDAV server, you'll probably want to add some security. WebDAV authentication is done using HTTP Basic or Digest authentiation (RFC2617). Although it's not very difficult to roll your own, SabreDAV does come with some tools to make it easy to implement. Basic Auth// Including the library
require_once 'Sabre.includes.php';
$u = 'admin';
$p = '1234';
$auth = new Sabre_HTTP_BasicAuth();
$result = $auth->getUserPass();
if (!$result || $result[0]!=$u || $result[1]!=$p) {
$auth->requireLogin();
echo "Authentication required\n";
die();
}If you execute this code before calling Sabre_DAV_Server::exec(), things should just work. getUserPass returns an array with 2 values. The first value is the username, the second is the password. If no username or password were supplied at all, this method will return false. Basic auth is very simple, but the username and password will be sent in plain text over the wire. Digest auth is therefore recommended instead. Digest Auth// Including the library
require_once 'Sabre.includes.php';
$u = 'admin';
$p = '1234';
$auth = new Sabre_HTTP_DigestAuth();
$auth->init();
if ($auth->getUsername() != $u || !$auth->validatePassword($p)) {
$auth->requireLogin();
echo "Authentication required\n";
die();
}As you can see the format is slightly different. The client actually generates a hash based on the password. This means we cannot find out what the password was. We can only apply the same hash on the server and compare the result (hence 'validatePassword'). Based on this example it could be required to store the password on the server or database. This is generally considered a bad practice. The better thing to do is to actually store the hash and use the following format: // Including the library
require_once 'Sabre.includes.php';
$u = 'admin';
$p = '1234';
$realm = 'MyWebdavServer';
$hash = md5($u . ':' . $realm . ':' . $p);
$auth = new Sabre_HTTP_DigestAuth();
$auth->setRealm($realm);
$auth->init();
if ($auth->getUsername() != $u || !$auth->validateA1($hash)) {
$auth->requireLogin();
echo "Authentication required\n";
die();
}
|
Sign in to add a comment
How do I get who is logged-in in my virtual file system? I would like to save this information to database.
Risto, if you wrote your own classes for your VFS, you should simply pass the username as a constructor, or otherwise.
Please ask followup questions on the mailing list