我尝试使用cakephp 3进行摘要式身份验证,以构建可扩展的系统。只在需要时才要求客户端输入密码,但输入的详细信息不允许访问,而是会再次弹出请求凭据的对话框。非常感谢任何建议或帮助!
AppController的::初始化()
$this->loadComponent('Auth', [
'authenticate' => [
'Digest' => [
'fields' => ['username' => 'username', 'password' => 'password_hash'],
'userModel' => 'Users',
'finder' => 'auth'
],
],
'authError' => 'incorrect username or password',
'storage' => 'Memory',
'unauthorizedRedirect' => false
]);
UsersTable:
public function beforeSave(\Cake\Event\Event $event)
{
$entity = $event->data['entity'];
// Make a password for digest auth.
$entity->password_hash = DigestAuthenticate::password(
$entity->username,
$entity->plain_password,
env('SERVER_NAME')
);
$entity->created = Time::now();
return true;
}
public function findAuth(\Cake\ORM\Query $query, array $options)
{
$query
->select(['id', 'username', 'password_hash']);
return $query;
}
编辑:从实体中移除代码
我决定深入研究摘要getuser函数(Function code)并将一些数据输出到我未经授权的页面中,这样我就能看到最新情况。
$Password: 8a3575d301f04f08dd461f93e3d55a21
$digest[username]: James
$digest['response']: 4fa261678c753da8e78e4bf98057fd72
$hash: a627c3e68061937e454c321d55e986d3
$request->env('ORIGINAL_REQUEST_METHOD'): GET
答案 0 :(得分:1)
只需从实体中删除_setPassword函数即可。密码将被哈希,稍后将在DigestAuthentication上使用此哈希,而不是所需的明文。
我还要重构并从beforeSave中删除密码创建并将其放到实体上,类似于你现在使用passwordHasher所做的... 请注意,在这种情况下,您需要更新_setUsername 和 _setPassword上的摘要!
答案 1 :(得分:1)
好的,事实证明我犯了一个非常愚蠢的错误! 变化:
$entity->password_hash = DigestAuthenticate::password(
$entity->username,
$entity->password_hash, // was plain_password which was not in my model!
env('SERVER_NAME')
);