1

i used Zend Rest Controller for developing a web service, and now i need to authenticate users before they can access my page.

For this, iam planning to use HTTP Authentication with curl, like this:

curl_setopt($ch, CURLOPT_USERPWD, "myusername:mypassword");

And i call that curl page like this:

curl -u myusername:mypassword http://localhost/controller/action/page.xml

I have a big doubt.

Do i need to store the usernames and passwords in a .htpasswd file? If so, how do i need to retrieve parameters and validate them ?

Improve this question
2
  • 2
    As an alternative I also can propose you to look at OAuth as an authentication layer. Commented Feb 9, 2011 at 7:49
  • No, i actually need to send the credentials via a curl request only. FYI, iam using Apache (bundled with Zend) on Windows. Commented Feb 9, 2011 at 19:16

1 Answer 1

Reset to default
8

If you use .htaccess the webserver will silently handle everything for you. you can assume (unless you have made a mistake) that the person is authorised.

But if you want to use http auth and get the user name and password to use in your own login system then you need to write the script thats being called like shown here.

http://php.net/manual/en/features.http-auth.php

Apart from sending through the username and password curl really has nothing to do with it. it just acts as a http client, just like a webbrowser is.

How you perform auth comes down to what you are trying to achieve. http auth is a simple authentication system.

DC

The link that I gave you shows you how to do it. The page you are calling MUST send back an authentication request otherwise curl will not forward the authentication details.

if you use a .htaccess and .htpasswd file you WILL NOT get to see the authentication because the webserver will remove those headers. If you are using a custom http auth like the one in the link I provided then you will get access to them ONLY after the auth request is sent, which means the first time the page is loaded you won't get them.

What I mean by that is.. first curl asks for the page without any credentials, if it gets the page then it stops, if it gets a request for credentials it then sends them.

This means if you want http://localhost/controller/action/page.xml to see the credentials then it must ask for them. if its a static page which it looks like it is, then it will not ask for the credentials.

did you mean to type http://localhost/controller/action/page.php

DC

the process goes like this...

curl                   ---> page.php (first request)
curl                   <--- page.php (first reply) "Please identify yourself" ('401 unauthorised' http code)
curl username:password ---> page.php (second request now includes user auth)
curl                   <--- page.php (second reply) ok here is the page (if id succesfull)

Ok as promised some working examples

first create 2 php scripts

auth.php is a modified copy of the example provided from the link I posted above

<?php

if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo "User name and password is required. Please try again.\n";
} else {
    // we now have access to the user and password :)
    echo "Hello {$_SERVER['PHP_AUTH_USER']}\n";
    echo "You entered {$_SERVER['PHP_AUTH_PW']} as your password.\n";
}

?>

curlfetch.php is a copy of your script from your other post

<?php

$curl = curl_init('http://localhost/auth.php');
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_USERPWD, 'key:123456');
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_USERAGENT, 'Sample Code');

$response = curl_exec($curl);
$resultStatus = curl_getinfo($curl);

if($resultStatus['http_code'] == 200) {
    echo $response;
} else {
    echo 'Call Failed '.print_r($resultStatus);
}
?>

create and save those scripts on your server

now test script 1 without a password

curl http://localhost/auth.php

This results in...

User name and password is required. Please try again.

Now try with a password

curl -u user:pass http://localhost/auth.php

This results in...

Hello user
You entered pass as your password.

Now try the second script, Note we don't supply a username or password as that is supplied within the script

curl http://localhost/curlfetch.php

That results in...

Hello key
You entered 123456 as your password.

Now as a reference try calling both scripts from your browser

DC

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

@DeveloperChris I dont see it as a silent handling. Iam sending the curl request to a php page (controller), and in that page, i need to validate the username and password from database. But i just want to know how to get those values passed through curl. They dont seem to be available in the $_SERVER array.
@DeveloperChris I meant localhost/controller/action/page.php, and do you mean sending an authentication request is like: curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_ANY); If so, then iam already adding them in the page.
No that not what I mean. when called page.php must send an auth request to the caller. in this case the caller is your curl script. I will add more to the answer to explain
@DeveloperChris Thanks for the detailed instructions... can i automate all this process by sending username and password in the first step itself (through curl)? Because i dont want to show any dialog boxes to the user. Can you post a sample code?
I still have some hopes on this... i just want to retrieve username, password and authenticate the user with curl... can anyone point me to a good example please...
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.