We have eZPublish 5. The authentication is handled by User kernel module kernel/user/login.php. This PHP script is called when trying to access a siteaccess which requires authentication.
Example scenario:
When trying to access http://example.com/marketing
it redirects me (when not logged in) to http://example.com/marketing/user/login
Which is expected behaviour.
What I would like to achieve is to rewrite the kernel/user/login.php file and preferably keep the url the same (this is not mandatory).
I need to do this because I need to integrate Duo Security Multifactor Authentication, so I need to handle the logging in in a custom way.
So on the first page I need to display the login form, then when it is submitted I need to verify if credentials are correct (but not log in the user at this phase) then I need to return another view where an iframe is present for the second authentication, and when the second authentication is successful only after that I can login the user and redirect him/her to the desired page.
Is there any way how to do this? I tried to create an extension with a module user and view login.php but it doesn't worked - the User kernel login.php is executed always when http://example.com/marketing/user/login is hit.
I am trying to do this for several days now but no luck and I'm out of ideas.
Thanks in advance for any help.
Welcome to the eZ Community!
What you want / need is both possible and quite simple to implement :)
First based on your description I recommend the following:
https://github.com/brookinsconsulting/bckernelmoduleoverride
Note: We forgot to package and release this extension some time ago but have been using it as part of our open source ezpedia.org code base. We thank you for reminding us and prompting us to package the code for individual usage.
Concerning double authentication we did something similar but actually quite different with this solution:
https://github.com/brookinsconsulting/bcconfirmpassword
Now code sharing aside. You may want to first study the login handler system which provides for many forms of custom user authentication system. https://en.ezpedia.org/en/ez/login_handler
Yet from your description and some intuition on our part it truly sounds like without more information that you very well do need to both override the default user/login module view (what we call a kernel module view copy override; copy the default module and customize the code within an extension module). We have done this -a lot- for special customer use cases and it's not very hard.
Most of the time the hard part is getting all the module and module view identifiers to not conflict once within an module extension and we think that will be less of a problem for you if you simply use / leverage the bckernelmoduleoverride extension which provides for using default kernel modules and module views customized within a module view extension.
Please feel free to ask further questions or share more information about your custom authentication system your trying to integrate. Frames in this day and age sounds like a painful system to be required to implement for a secondary authentication system.
We hope this helps!
Note: This thread is cross posted from: http://share.ez.no/forums/ez-publish-5-platform/ezpublish-5-custom-user-authentication-multifactor
Related
Is possible to write a hook for MediaWiki using php to login with a particular user name and password when a certain event takes place? I looked through the MediaWiki api and it seems that $wgUser has only a logout function and does not have a login function.
It is indeed possible to log in to a wiki using a particular user name and password--that is essentially what every authentication extension does. There is a whole page of the Mediawiki API dedicated to login functionality, and there is also documentation of the AuthPlugin class, which provides an interface for Mediawiki authentication and login plugins.
If you're looking for code samples for logging into a wiki, there are php examples on the API:Login page, and you could also have a look at the extensions in the authentication and login category on Mediawiki.org.
Re: $wgUser: login is handled by $wgUser's new methods -- newFromId, newFromName, newFromConfirmationCode, etc. These functions create a new User object, which contains data and functionality specific to the account, every time someone logs into their account on the wiki. There is a different set of functions for creating new accounts.
I am working on a module to access certain information via REST for an expression engine backend (control panel).
I have worked out the REST function and delivery of the information, that works and tested.
Currently one of my module control panels has several functions that return a set of information while I am logged in and I pass in the session ID along with the request.
However, outside the session I cannot access the API because it redirects me to login instead. I am seeking to bypass the classic authentication for certain controller functions and replace it with a API token based authentication which would be passed with the web request.
I've tried searching how to disable authentication for certain pages in the backend, but haven't been able to find anything. If anyone can point in the right direction it would be very helpful.
Take a look at module actions. These are the URLs that look like /?ACT=123 where 123 refers to a specific module and method in that module. These URLs don't have any authentication required to be hit. You control what authentication you want for the methods.
Stephen Lewis has a nice article about this on his blog (the EE dev docs don't explain actions well, if at all). http://experienceinternet.co.uk/blog/a-brief-introduction-to-expressionengine-actions/
I can personally vouch for this approach with using APIs because our team built a CRUD Rest API for ExpressionEngine that uses these "action" URLs.
hi I am developing custom component in joomla 1.7 I want to restrict user task based on user groups. I have created table and saved all the controller names and tasks and saved the permissions for the previous tasks with user group id. In central com_component.php file I check the user permissions and authorized the taks with controller. This is working really well. What I want to know is can I use addACL() or authorized() functions to do this which is I really don't understand correctly. Bcoz Here I want use both controller and task together.
Developing a component with the Access Control List is described on Joomla! documentations in detail (link). I think the first thing to do is follow the instructions described there. There is even sample code that you can download and use.
The plugin 'GroupJive' for the Community Builder component has ways to do what you are looking for. I would look to that project at least for a guideline. I will be digging into a similar challenge this weekend and if I find code without the need for the component I will let you know.
I'm having a hard time understanding how the CakePHP admin system works.
Should all controllers who has an action which requires login include AuthComponent or just the one who handles the login/logout?
Let's say I want to protect the add action of a controller. First I create admin_add() in the controller and then in the beforeFilter() method I check if $this->Session->check('Auth.User') is set a redirect based on this? Turns out it was better to just controll this with $this->Auth->allow()
What is the easiest way to return to the URL the user was trying to access? Is there a better way than setting a session variable? Turns out it does this automagically :)
If someone has a good tutorial for this I would happily read it :)
I've already read this tutorial but I found it to be a little to basic and the CakePHP-docs are not that great on this topic either.
There is no Cake admin system as such. There is Authentication component and there is Access Control List component. You can use only Authentication component if you wish or you can use both of them. If you want to create your admin system from scratch follow this tutorial. Or you can try already created admin panel - PoundCake Control Panel.
we have created an admin system for cakePHP, works similar to the scaffolding but it's configurable and ready to deploy, check it at http://browniephp.org
You can learn a lot from others codes, specially something like CakePHP Admin plugin at: https://github.com/Maldicore/Admin
I am developing the ability for administrators to log in and I'm to the point of creating the admin log-in page, but I'm somewhat torn as to where the best place to put it.
For details, this is part of an MVC framework, and the administration portion is in it's own folder - /admin; so administration is completely separate from the public portion of the site.
I would like to place the actual log-in page in its own php file for security by separating it from the rest of the site. That way if they bust one, they don't bust all. However, then you get to the point of processing the log-in request - should it be in the same PHP file as the log-in, or should it reside in another file, or should all of this just be part of the framework?
Any suggestions would be much appreciated.
EDIT: just for some clarification, this is my first time creating any sort of user system, so please bear with me :) (Any good tutorial/example links are greatly appreciated too).The admin portion of the site is in it's own folder but uses the same base files, classes, etc as the front end - the files are only overwritten in the admin portion as needed. Also, an 'admin' is just a certain user type - roles and permissions have already been figured out.
I'm just having a hard time starting - particularly where to implement/put the login form. I thought it would be best for security to have a physically separate file for login, but I see that might not be the case.
I agree with the rest of the posts, Admin should be in the same work-flow. Here is a good example to reference.
Using the same login system for both admin and users will enable you to simplify your application. First off, you'll only need to create one login form. Secondly, if the admin section is part of the same codebase, you'll gain a huge benefit from being able to access all of the classes used throughout the site. If you used an MVC architecture, you'll probably want to use the same models in the admin as you do on the site. Even if you didn't, there is probably still a lot of code you can reuse for the admin section (base classes, database abstraction layer, shared settings/configuration, etc).
IMHO, Admin should login through the same form as regular user, but permissions should allow him to view additional content.
You can place admin forms in any folder, and then allow admin to access it.
I think the admin user should just be another class of user (or be an option for a normal user). Take note that there's slightly more chance of granting access to a normal user by mistake with this approach.