diff options
| -rw-r--r-- | config/ampache.cfg.php.dist | 7 | ||||
| -rw-r--r-- | lib/class/vauth.class.php | 40 | ||||
| -rw-r--r-- | lib/init.php | 19 | ||||
| -rw-r--r-- | login.php | 18 | ||||
| -rw-r--r-- | logout.php | 3 |
5 files changed, 57 insertions, 30 deletions
diff --git a/config/ampache.cfg.php.dist b/config/ampache.cfg.php.dist index 851859c9..1d0339f0 100644 --- a/config/ampache.cfg.php.dist +++ b/config/ampache.cfg.php.dist @@ -82,9 +82,14 @@ session_cookiesecure = 0 ; to use and in which order, if auto_create isn't enabled ; The user must exist locally. Local method uses PHP's PAM Auth module ; DEFAULT: mysql -; VALUES: mysql,ldap,http,local +; VALUES: mysql,ldap,http,local,null auth_methods = "mysql" +; Logout redirection target +; Defaults to our own login.php, but we can override it here if, for instance, +; we want to redirect to an SSO provider instead. +; logout_redirect = "http://sso.example.com/logout" + ;##################### ; Program Settings # ;##################### diff --git a/lib/class/vauth.class.php b/lib/class/vauth.class.php index eac87a3c..b4a4b77e 100644 --- a/lib/class/vauth.class.php +++ b/lib/class/vauth.class.php @@ -152,13 +152,19 @@ class vauth { * This is the function used for the Ajax logouts, if no id is passed * it tries to find one from the session */ - public static function logout($key='') { + public static function logout($key='',$relogin=true) { // If no key is passed try to find the session id $key = $key ? $key : session_id(); // Nuke the cookie before all else self::destroy($key); + if ((! $relogin) && Config::get('logout_redirect')) { + $target = Config::get('logout_redirect'); + } + else { + $target = Config::get('web_path') . '/login.php'; + } // Do a quick check to see if this is an AJAX'd logout request // if so use the iframe to redirect @@ -174,7 +180,6 @@ class vauth { header("Cache-Control: no-store, no-cache, must-revalidate"); header("Pragma: no-cache"); - $target = Config::get('web_path') . '/login.php'; $results['rfc3514'] = '<script type="text/javascript">reload_logout("'.$target.'")</script>'; echo xml_from_array($results); } @@ -182,7 +187,7 @@ class vauth { /* Redirect them to the login page */ if (AJAX_INCLUDE != '1') { - header ('Location: ' . Config::get('web_path') . '/login.php'); + header('Location: ' . $target); } exit; @@ -673,20 +678,39 @@ class vauth { /** * http_auth * This auth method relies on HTTP auth from Apache - * This is not a very secure method of authentication - * and defaults to off. */ - public static function http_auth($username) { - + private static function http_auth($username) { + if (($_SERVER['REMOTE_USER'] == $username) || + ($_SERVER['HTTP_REMOTE_USER'] == $username)) { $results['success'] = true; $results['type'] = 'http'; $results['username'] = $username; $results['name'] = $username; $results['email'] = ''; + } + else { + $results['success'] = false; + $results['error'] = "HTTP auth: REMOTE_USER not set"; + } return $results; - } // http_auth + /** + * null_auth + * This is the equivalent of the old http_auth and assumes that if you + * can access the page, you're a trusted user. + * This is not a very secure method of authentication, since it allows + * you to log in with an arbitrary username. + */ + private static function null_auth($username) { + $results['success'] = true; + $results['type'] = 'null'; + $results['username'] = $username; + $results['name'] = $username; + $results['email'] = ''; + return $results; + } // null_auth + } // end of vauth class ?> diff --git a/lib/init.php b/lib/init.php index 3405a754..9adc0e86 100644 --- a/lib/init.php +++ b/lib/init.php @@ -1,4 +1,5 @@ <?php +/* vim:set tabstop=8 softtabstop=8 shiftwidth=8 noexpandtab: */ /* Copyright (c) Ampache.org @@ -179,24 +180,6 @@ set_memory_limit($results['memory_limit']); /**** END Set PHP Vars ****/ -/* We have to check for HTTP Auth, only run this if we don't have an ampache session cookie */ -$session_name = Config::get('session_name'); -if (in_array("http",$results['auth_methods']) AND empty($_COOKIE[$session_name])) { - - $username = scrub_in($_SERVER['PHP_AUTH_USER']); - $results = vauth::http_auth($username); - - // We've found someone or were able to create them, go ahead and generate the session - if ($results['success']) { - vauth::create_cookie(); - vauth::session_create($results); - $session_name = Config::get('session_name'); - $_SESSION['userdata'] = $results; - $_COOKIE[$session_name] = session_id(); - } - -} // end if http auth - // If we want a session if (NO_SESSION != '1' AND Config::get('use_auth')) { /* Verify Their session */ @@ -45,8 +45,11 @@ if (Config::get('access_control')) { /* Clean Auth values */ unset($auth); -/* Check for posted username and password */ -if ($_POST['username'] && $_POST['password']) { +/* Check for posted username and password, or appropriate environment +variable if using HTTP auth */ +if (($_POST['username'] && $_POST['password']) || +(in_array('http',Config::get('auth_methods')) && +($_SERVER['REMOTE_USER'] || $_SERVER['HTTP_REMOTE_USER']))) { if ($_POST['rememberme']) { vauth::create_remember_cookie(); @@ -60,8 +63,19 @@ if ($_POST['username'] && $_POST['password']) { $auth['info']['offset_limit'] = 25; } else { + if ($_POST['username'] && $_POST['password']) { $username = scrub_in($_POST['username']); $password = scrub_in($_POST['password']); + } + else { + if ($_SERVER['REMOTE_USER']) { + $username = $_SERVER['REMOTE_USER']; + } + else if ($_SERVER['HTTP_REMOTE_USER']) { + $username = $_SERVER['HTTP_REMOTE_USER']; + } + $password = ''; + } $auth = vauth::authenticate($username, $password); $user = User::get_from_username($username); @@ -1,4 +1,5 @@ <?php +/* vim:set tabstop=8 softtabstop=8 shiftwidth=8 noexpandtab: */ /* Copyright (c) Ampache.org @@ -26,5 +27,5 @@ require_once 'lib/init.php'; // To end a legitimate session, just call logout. -vauth::logout(); +vauth::logout('',false); ?> |