1 Topic by sabujp

  • sabujp
  • Member
  • Offline

Topic: Apache HTTP authentication and search-all-tables features

Continuing on from http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=192 (sorry about posting in the wrong place), I forgot I was already in a subject .

Regarding #2, I did not consider having Apache authentication in LabStoRe per se because Apache authentication is a generic method that can be used for any web site/sub-site and does not depend on the specific type of PHP application being run at that site.

Ok, so are you saying that it's possible to have someone login with apache authentication and have that auth/session be understood by labstore as a labstore normal or admin user with the current labstore code? If so, I can't figure out how to enable this without hacking check_login.php. Yes, I can enable apache authentication and have it use our LDAP as the authentication backend rather than plain htpasswd files, but if I set enable_authentication to 1, enable_admin_authentication to 1, and all_see_tables to "no", I still get the labstore login prompt. For example, If I login with "user1" through apache auth, and "user1" exists in the labstore database as a normal or admin current user, I don't want it to ask the user for a login and password again which it currently does.

Regarding #1, it should not be difficult to implement, and I can do it, as long as one is okay with simple queries and results with no sorting, etc. Because each table has its own column-types, etc., getting more complex query forms and result tables rendered for matching records coming from different tables will require more coding and testing which unfortunately I don't have time for.

That would be fine.

2 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Apache HTTP authentication and search-all-tables features

Sorry, I did not fully understand the first point. Thanks for clarifying it. It should be relatively simple to implement but it would be great if you already have some code and would like to share.

3 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Apache HTTP authentication and search-all-tables features

For identifying user from HTTP authentication credentials, the following should work though I haven't tested it. Line numbers are for LabStoRe version 1.5.4. It is assumed that the HTTP authentication mechanism is set (though a .htaccess file, etc.).

(1) Edit file config.php by adding below line 122

// Enable identifying user from HTTP authentication (0|1). If 1, identify user (i.e., username) from $_SERVER['PHP_AUTH_USER']
$enable_id_from_http_authentication = 0;

This makes this feature optional.


(2) Edit file interface_creator/login.php by adding below line 140

( !$enable_id_from_http_authentication or empty($_SERVER['PHP_AUTH_USER']) ) and

Now if LabStoRe sees a username in the HTTP authentication credentials, it will not show a login form.

Additionally, below line 154, add

elseif($enable_id_from_http_authentication and !empty($_SERVER['PHP_AUTH_USER'])){
    $_SESSION['logged_user_infos_ar'] = get_user_infos_ar_from_username_password($_SERVER['PHP_AUTH_USER'], '', 'onlyid');
}

With this change, LabStoRe will take the user name from the HTTP authentication credentials to check against its own user database. Note that it does not care about the password because this functionality is not to authenticate the identity of the user. The final code modification, below, is needed for this to work.


(3) Edit file interface_creator/business_logic.php by replacing line 54 with

".$quote.$users_table_user_type_field.$quote." FROM ".$quote.$users_table_name.$quote." WHERE ".$quote.$users_table_username_field.$quote." = '".$username_user. ($md5_or_not == 'onlyid' ? "" : "' AND ".$quote.$users_table_password_field.$quote." = '".$password_user."'");