function AuthenticationDigestHTTP($realm, $users, $phpcgi = 0) { if (empty($_SERVER['PHP_AUTH_DIGEST']) && empty($_SERVER['REDIRECT_REMOTE_USER'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="' . $realm . '" qop="auth" nonce="' . uniqid(rand(), true) . '" opaque="' . md5($realm) . '"'); die('401 Unauthorized'); } // analyze the PHP_AUTH_DIGEST variable $auth = $_SERVER['PHP_AUTH_DIGEST']; if ($phpcgi == 1) { $auth = $_SERVER['REDIRECT_REMOTE_USER']; } $data = http_digest_parse($auth); if (!array_key_exists($data['username'], $users)) { header('HTTP/1.1 401 Unauthorized'); die('401 Unauthorized'); } // generate the valid response $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']); $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2); if ($data['response'] != $valid_response) { header('HTTP/1.1 401 Unauthorized'); die('401 Unauthorized'); } return TRUE; }
function http_authentication($users) { $realm = 'Restricted area'; //user => password if (empty($_SERVER['PHP_AUTH_DIGEST'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"'); die('Text to send if user hits Cancel button'); } // analyze the PHP_AUTH_DIGEST variable if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])) { die('Wrong Credentials!'); } // generate the valid response $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']); $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2); if ($data['response'] != $valid_response) { die('Wrong Credentials!'); } }
static function user() { if (isset(Authentication::$user)) { return Authentication::$user; } if (!isset($_SERVER['PHP_AUTH_DIGEST'])) { return Authentication::$user = "******"; } if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']))) { Authentication::forbidden("Invalid authentication"); } if (isset($data['realm']) && $data['realm'] != AUTH_REALM) { Authentication::forbidden("Invalid authentication"); // allow re-login } // generate the valid response $A1 = Authentication::password_for($data['username']); $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']); $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2); if ($data['response'] != $valid_response) { Authentication::forbidden("Incorrect username or password"); } return Authentication::$user = $data['username']; }
<?php $realm = 'Restricted area'; //user => password $users = array('admin' => 'mypass', 'guest' => 'guest'); if (empty($_SERVER['PHP_AUTH_DIGEST'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"'); die('Text to send if user hits Cancel button'); } // analyze the PHP_AUTH_DIGEST variable if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])) { die('Wrong Credentials!'); } // generate the valid response $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']); $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2); if ($data['response'] != $valid_response) { die('Wrong Credentials!'); } // ok, valid username & password echo 'Your are logged in as: ' . $data['username']; // function to parse the http auth header function http_digest_parse($txt) { // protect against missing data $needed_parts = array('nonce' => 1, 'nc' => 1, 'cnonce' => 1, 'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1); $data = array(); $keys = implode('|', array_keys($needed_parts)); preg_match_all('@(' . $keys . ')=(?:([\'"])([^\\2]+?)\\2|([^\\s,]+))@', $txt, $matches, PREG_SET_ORDER);
function foaf_password($config, $realm, $authreqissuer) { /* print "<pre>"; print_r($_SERVER); print "</pre>"; */ if (empty($_SERVER['HTTP_AUTHORIZATION'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth,auth-int",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"'); // failed_password_check('Authentication was cancelled', $authreqissuer); die; } // analyze the PHP_AUTH_DIGEST variable if (!($data = http_digest_parse($_SERVER['HTTP_AUTHORIZATION']))) { failed_password_check('HTTP Digest was incomplete', $authreqissuer); } //$uri = 'http://'. $data['username']; $uri = $data['username']; $uri = urldecode($uri); if (!is_valid_url($uri)) { // $errmsg = "Authentication Failed - $uri is not a valid username for this service"; // failed_password_check($errmsg, $authreqissuer); $agent = NULL; } else { $agent = get_agent($uri); } // set up db $db = new db_class(); $db->connect('localhost', $config['db_user'], $config['db_pwd'], $config['db_name']); $webid = isset($agent) ? $agent['agent']['webid'] : ''; // $sql ='select password from passwords where webid="'. $webid . '" or mbox = "' . $data['username'] . '" and active = 1 and verified_mbox = 1 '; $sql = 'select password from passwords where webid="' . $webid . '" and active = 1 and verified_mbox = 1 '; // print $sql . "<br/>"; $results = $db->select($sql); if ($row = mysql_fetch_assoc($results)) { $pin = $row['password']; // generate the valid response $A1 = md5($data['username'] . ':' . $realm . ':' . $pin); $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']); $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2); /* print "<br/>A1 = md5 ( username= "******" :realm= " . $realm . " :password/pin= ". $pin . ")<br/>"; print "A2 = md5 ( request_method = " . $_SERVER['REQUEST_METHOD']. " uri = " . $data['uri'] . ")<br/>"; print "valid = md5 ( A1 : nonce= " . $data['nonce'] . " :nc= " . $data['nc'] . " :cnonce= " . $data['cnonce'] . " :qop= " . $data['qop'] . ")<br/>"; print "valid response = " . $valid_response . "<br/><br/>"; print "http digest response = " . $data['response'] . "<br/><br/>"; */ if ($valid_response == $data['response']) { // print "auth " . $authreqissuer . "<br/><br/>"; // print "webid " . $agent['agent']['webid'] . "<br/><br/>"; if (isset($authreqissuer)) { webid_redirect($authreqissuer, $agent['agent']['webid']); } else { login_screen($agent['agent']['webid']); } } else { failed_password_check('FOAF Password doesnot match', $authreqissuer); } } else { failed_password_check('FOAF Password doesnot match', $authreqissuer); } }
private static function authenticate() { // figure out if we need to challenge the user if(empty($_SERVER['PHP_AUTH_DIGEST'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="' . AUTH_REALM . '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5(AUTH_REALM) . '"'); // show the error if they hit cancel die(RestControllerLib::error(401, true)); } // now, analayze the PHP_AUTH_DIGEST var if(!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || $auth_username != $data['username']) { // show the error due to bad auth die(RestUtils::sendResponse(401)); } // so far, everything's good, let's now check the response a bit more... $A1 = md5($data['username'] . ':' . AUTH_REALM . ':' . $auth_pass); $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']); $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2); // last check.. if($data['response'] != $valid_response) { die(RestUtils::sendResponse(401)); } }
//user => password $users = array('admin' => 'mypass', 'guest' => 'guest'); if (empty($_SERVER['PHP_AUTH_DIGEST'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"'); die('Text to send if user hits Cancel button'); } // analyze the PHP_AUTH_DIGEST variable if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])) die('Wrong Credentials!'); // generate the valid response $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']); $valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2); if ($data['response'] != $valid_response) die('Wrong Credentials!'); // ok, valid username & password echo 'You are logged in as: ' . $data['username'];
for ($i = 0; $i < count($matches[0]); $i++) { // ignore unneeded parameters if (isset($needed_parts[$matches[1][$i]])) { unset($needed_parts[$matches[1][$i]]); if ('"' == substr($matches[2][$i], 0, 1)) { $data[$matches[1][$i]] = substr($matches[2][$i], 1, -1); } else { $data[$matches[1][$i]] = $matches[2][$i]; } } } return !empty($needed_parts) ? false : $data; } $realm = 'HTTP_Request2 tests'; $wantedUser = isset($_GET['user']) ? $_GET['user'] : null; $wantedPass = isset($_GET['pass']) ? $_GET['pass'] : null; $validAuth = false; if (!empty($_SERVER['PHP_AUTH_DIGEST']) && ($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) && $wantedUser == $data['username']) { // generate the valid response $a1 = md5($data['username'] . ':' . $realm . ':' . $wantedPass); $a2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']); $response = md5($a1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $a2); // check valid response against existing one $validAuth = $data['response'] == $response; } if (!$validAuth || empty($_SERVER['PHP_AUTH_DIGEST'])) { header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid() . '"', true, 401); echo "Login required"; } else { echo "Username={$user}"; }
function getSipAccountFromHTTPDigest () { require("/etc/cdrtool/enrollment/config.ini"); if (!is_array($enrollment) || !strlen($enrollment['nonce_key'])) { $log= 'Error: Missing nonce in enrollment settings'; syslog(LOG_NOTICE, $log); die($log); return false; } if ($_REQUEST['realm']) { // required by Blink cocoa $realm=$_REQUEST['realm']; $a=explode("@",$realm); if (count($a) == 2) { $realm = $a[1]; } } else { $realm = 'SIP_settings'; } // security implemented based on // http://static.springsource.org/spring-security/site/docs/2.0.x/reference/digest.html $_id = microtime(true)+ 300; // expires 5 minutes in the future $_key = $enrollment['nonce_key']; $nonce = base64_encode($_id.":".md5($_id.":".$_key)); if (empty($_SERVER['PHP_AUTH_DIGEST'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.$nonce.'",opaque="'.md5($realm).'"'); //syslog(LOG_NOTICE, sprintf ("SIP settings page: sent auth request for realm %s to %s", $realm, $_SERVER['REMOTE_ADDR'])); die(); } // analyze the PHP_AUTH_DIGEST variable if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($data['username'])) { $log=sprintf("SIP settings page: Invalid credentials from %s", $_SERVER['REMOTE_ADDR']); syslog(LOG_NOTICE, $log); die($log); } // generate the valid response $username = $data['username']; if (strstr($username, '@')) { $a = explode("@",$username); $username = $a[0]; $domain = $a[1]; } else { $domain = $realm; } require("/etc/cdrtool/ngnpro_engines.inc"); global $domainFilters, $resellerFilters, $soapEngines ; $credentials['account'] = sprintf("%s@%s",$username, $domain); if ($domainFilters[$domain]['sip_engine']) { $credentials['engine'] = $domainFilters[$domain]['sip_engine']; $credentials['customer'] = $domainFilters[$domain]['customer']; $credentials['reseller'] = $domainFilters[$domain]['reseller']; } else if ($domainFilters['default']['sip_engine']) { $credentials['engine']=$domainFilters['default']['sip_engine']; } else { $log=sprintf("SIP settings page error: no domainFilter available in ngnpro_engines.inc from %s", $_SERVER['REMOTE_ADDR']); syslog(LOG_NOTICE, $log); die(); } $SOAPlogin=array( "username" => $soapEngines[$credentials['engine']]['username'], "password" => $soapEngines[$credentials['engine']]['password'], "admin" => true ); $SoapAuth = array('auth', $SOAPlogin , 'urn:AGProjects:NGNPro', 0, ''); $SipPort = new WebService_NGNPro_SipPort($soapEngines[$credentials['engine']]['url']); $SipPort->_options['timeout'] = 5; $SipPort->setOpt('curl', CURLOPT_SSL_VERIFYPEER, 0); $SipPort->setOpt('curl', CURLOPT_SSL_VERIFYHOST, 0); $SipPort->addHeader($SoapAuth); $result = $SipPort->getAccount(array("username" =>$username,"domain" =>$domain)); if (PEAR::isError($result)) { $error_msg = $result->getMessage(); $error_fault= $result->getFault(); $error_code = $result->getCode(); header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.$nonce.'",opaque="'.md5($realm).'"'); $log=sprintf("SIP settings page error: non-existent username %s from %s", $credentials['account'], $_SERVER['REMOTE_ADDR']); syslog(LOG_NOTICE, $log); die(); } $web_password=''; foreach ($result->properties as $_property) { if ($_property->name == 'web_password') { //$web_password = explode(":", $_property->value, -1); $split=explode(":",$_property->value); $web_password=$split['0']; break; } } if (!empty($web_password)) { //$A1 = md5($data['username'] . ':' . $realm . ':' . $data['password']); $A1 = $web_password; $login_type_log = 'web password'; //$log=sprintf("TEST %s %s %s %s", $data['username'], $realm, $web_password , $data['nonce']); //syslog(LOG_NOTICE, $log); // } else if (strstr($data['username'], '@')) { // $A1 = md5($data['username'] . ':' . $realm . ':' . $result->password); // $login_type_log = 'cleartext legacy password'; } else if ($result->ha1) { $login_type_log = sprintf('encrypted password'); $A1 = $result->ha1; } else { $A1 = md5($data['username'] . ':' . $realm . ':' . $result->password); $login_type_log = 'cleartext password'; } $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']); $valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2); if ($data['response'] != $valid_response ) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.$nonce.'",opaque="'.md5($realm).'"'); $log=sprintf("SIP settings page error: wrong credentials using %s for %s from %s", $login_type_log, $credentials['account'], $_SERVER['REMOTE_ADDR']); syslog(LOG_NOTICE, $log); die(); } // check nonce $client_nonce_els=explode(":",base64_decode($data['nonce'])); if (md5($client_nonce_els[0].":".$_key) != $client_nonce_els[1]) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.$nonce.'",opaque="'.md5($realm).'"'); $log=sprintf("SIP settings page error: wrong nonce for %s from %s", $credentials['account'], $_SERVER['REMOTE_ADDR']); syslog(LOG_NOTICE, $log); die(); } if (microtime(true) > $client_nonce_els[0]) { // nonce is stale header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.$nonce.'",stale=true,opaque="'.md5($realm).'"'); $log=sprintf("SIP settings page error: nonce has expired for %s from %s", $username, $_SERVER['REMOTE_ADDR']); syslog(LOG_NOTICE, $log); die(); } $log=sprintf("SIP settings page: %s logged in using %s from %s", $credentials['account'], $login_type_log, $_SERVER['REMOTE_ADDR']); syslog(LOG_NOTICE, $log); $credentials['customer'] = $result->customer; $credentials['reseller'] = $result->reseller; return $credentials; }
$Out['error'] = 'Can`t decode request.'; } } # Authenticate: if ($CONF['AUTH_RULES']) { if (isset($Recv['digest'])) { $Digest = $Recv['digest']; if (false == http_digest_validate($Out)) { $Digest = false; $Out['auth_status'] = 'Wrong credentials.'; $Out['auth_error'] = true; } $Out['nonce'] = md5(rand()); } } else { $Digest = http_digest_parse(); } if ($Digest !== false) { global $UserID; if ($Digest['username'] != 'null') { $UserID = $Digest['username']; } } # Process response: if (array_key_exists('walkdir', $Recv)) { $Out['walkdir'] = array(); foreach ($Recv['walkdir'] as $dir) { $rem = array('../', '../', '..'); $dir = str_replace($rem, '', $dir); $walkdir = array(); walkDir($Recv, $dir, $walkdir, 0);
header('HTTP/1.1 401 Authorization Required'); header('WWW-Authenticate: Digest realm="' . $realm . '", qop="auth", nonce="' . uniqid() . '", opaque="' . md5($realm) . '"'); header("Content-Type: text/html"); $content = 'Authorization Cancelled'; header("Content-Length: " . strval(strlen($content))); echo $content; die; } //set the realm $realm = $_SESSION['domain_name']; //request authentication if (empty($_SERVER['PHP_AUTH_DIGEST'])) { http_digest_request($realm); } //check for valid digest authentication details if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || $data['username'] != $provision["http_auth_username"]) { header('HTTP/1.1 401 Unauthorized'); header("Content-Type: text/html"); $content = 'Unauthorized ' . $__line__; header("Content-Length: " . strval(strlen($content))); echo $content; exit; } //generate the valid response $A1 = md5($provision["http_auth_username"] . ':' . $realm . ':' . $provision["http_auth_password"]); $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']); $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2); if ($data['response'] != $valid_response) { header('HTTP/1.0 401 Unauthorized'); header("Content-Type: text/html"); $content = 'Unauthorized ' . $__line__;
function http_digest_check() { global $realm, $user_name, $password; if (empty($_SERVER['PHP_AUTH_DIGEST'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"'); die('Not Authenticated'); } // analyze the PHP_AUTH_DIGEST variable if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || $data['username'] !== $user_name) { return false; } // generate the valid response //$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']); $valid_response = md5($password . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2); return $data['response'] == $valid_response; }
require dirname(__FILE__) . "/../../http/classes/class_administration.php"; require dirname(__FILE__) . "/../../http/classes/class_connector.php"; require_once dirname(__FILE__) . "/../../http/classes/class_mb_exception.php"; require dirname(__FILE__) . "/../../owsproxy/http/classes/class_QueryHandler.php"; //database connection $db = db_connect($DBSERVER, $OWNER, $PW); db_select_db(DB, $db); $imageformats = array("image/png", "image/gif", "image/jpeg", "image/jpg"); //control if digest auth is set, if not set, generate the challenge with getNonce() if (empty($_SERVER['PHP_AUTH_DIGEST'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="' . REALM . '",qop="auth",nonce="' . getNonce() . '",opaque="' . md5(REALM) . '"'); die('Text to send if user hits Cancel button'); } //read out the header in an array $requestHeaderArray = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']); //error if header could not be read if (!$requestHeaderArray) { echo 'Following Header information cannot be validated - check your clientsoftware!<br>'; echo $_SERVER['PHP_AUTH_DIGEST'] . '<br>'; die; } //get mb_username and email out of http_auth username string $userIdentification = explode(';', $requestHeaderArray['username']); $mbUsername = $userIdentification[0]; $mbEmail = $userIdentification[1]; $userInformation = getUserInfo($mbUsername, $mbEmail); if ($userInformation[0] == '-1') { die('User with name: ' . $mbUsername . ' and email: ' . $mbEmail . ' not known to security proxy!'); } if ($userInformation[1] == '') {