How Bypass Authentication

All of our servers are accessed through a proxy server that does our authentication globally. When the request is passed through to our server, the login, full name, and login date/time are available via the Apache environment. The password they used is not available. So I just want to use that information. And probably completely remove the login and logout views. I figure it all revolves around the UserIdentity.php file, based on what I have read so far. But I haven’t seen anyone doing this. Any help is greatly appreciated.

Is anyone there?

I have read Larry Ullman’s articles on custom authentication. But they will still assume the use of a login page, and just changing what source the user is authenticated against. I would like to have a user table, so that they are allowed to use my system if their login (pre-authenticated by the proxy servers) exists in my user table. Nothing else.

So it looks like the UserIdentity file is used by that whole process starting with the login view. I don’t think any changes in that file will accomplish what I want.

So your web server with the Yii application you’re developing is different from your proxy server, correct? The proxy server can somehow append the user’s credentials to a request made to the Yii server as the connection passes through the proxy server? Where would that information be accessible in the request - POST/GET variables? I’m not really familiar with this setup, but it seems like people might need more information to help you.

Yes, the authenticating proxy server is a completely separate system. It passes the login and name via cookies and http headers. So I can get access to it via apache_getenv(‘login’) and apache_getenv(‘fullname’). It is not possible for our users to directly reach this web server, so I can trust they have already been properly authenticated.

I am thinking about redefining the restoreFromCookie method in the CWebUser class, so that it will recognize this information just as it would a cookie. Not sure how to without hacking the framework itself. I could extend the class, but then I would still have to change references to that class all over the place.

leave login action, because you will need it to handle setting up user context. You will also need UserIdentity that only looks for username.




class EnvIdentity extends CUserIdentity {

	private $uid;


	public function authenticate() {

		if( $this->username is valid ) {

			$this->uid = $user->id;

			$this->errorCode = self::ERROR_NONE;

		} else {

			$this->errorCode = self::ERROR_USERNAME_INVALID;

		}

		return !$this->errorCode;

	}


	public function getId() {

		return $this->uid;

	}

}



then your login action should be something like this:




public function actionLogin() {

	$username = env( 'username' );

	$identity = new EnvIdentity( $username, null );

	if( $identity->authenticate() ) {

		Yii::app()->user->login( $identity, 0 );

		$this->redirect( Yii::app()->user->returnUrl );

	} else {

		throw new CHttpException( 403, 'Access Denied' );

	}

}



the flow will be like this:

when some application part needs user logged in, browser will be redirected to ‘login’ action. This action will look for ‘username’ in environment and pass it to Identity. Identity checks if username is correct and maps it to userid (if necesary). If identity says username is ok - user is logged and redirected to previous page (the browser does those redirections without showing any other page to the user). If username is incorrect - exception is thrown.