/**
* initialises $ilAuth
*/
function _initAuth()
{
global $ilAuth, $ilSetting, $ilDB, $ilClientIniFile, $ilBench;
$user_auth_mode = false;
$ilBench->start('Auth', 'initAuth');
// get default auth mode
//$default_auth_mode = $this->getSetting("auth_mode");
define("AUTH_DEFAULT", $ilSetting->get("auth_mode") ? $ilSetting->get("auth_mode") : AUTH_LOCAL);
// determine authentication method if no session is found and username & password is posted
// does this if statement make any sense? we enter this block nearly everytime.
if (empty($_SESSION) || (!isset($_SESSION['_authsession']['registered']) || $_SESSION['_authsession']['registered'] !== true)) {
// no sesssion found
if (isset($_POST['username']) and $_POST['username'] != '' and $_POST['password'] != '' or isset($_GET['ecs_hash']) or isset($_GET['ecs_hash_url']) or isset($_POST['oid_username']) or isset($_GET['oid_check_status'])) {
$user_auth_mode = ilAuthUtils::_getAuthModeOfUser($_POST['username'], $_POST['password'], $ilDB);
if ($user_auth_mode == AUTH_CAS && $ilSetting->get("cas_allow_local")) {
$user_auth_mode = AUTH_LOCAL;
}
if ($user_auth_mode == AUTH_SOAP && $ilSetting->get("soap_auth_allow_local")) {
$user_auth_mode = AUTH_LOCAL;
}
if ($user_auth_mode == AUTH_SHIBBOLETH && $ilSetting->get("shib_auth_allow_local")) {
$user_auth_mode = AUTH_LOCAL;
}
} else {
if ($_POST['auth_mode'] == AUTH_APACHE) {
$user_auth_mode = AUTH_APACHE;
}
}
}
// to do: other solution?
if (!$ilSetting->get("soap_auth_active") && $user_auth_mode == AUTH_SOAP) {
$user_auth_mode = AUTH_LOCAL;
}
if ($ilSetting->get("cas_active") && $_GET['forceCASLogin']) {
ilAuthFactory::setContext(ilAuthFactory::CONTEXT_CAS);
$user_auth_mode = AUTH_CAS;
}
if ($ilSetting->get("apache_active") && $user_auth_mode == AUTH_APACHE) {
ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
$user_auth_mode = AUTH_APACHE;
}
// BEGIN WebDAV: Share session between browser and WebDAV client.
// The realm is needed to support a common session between Auth_HTTP and Auth.
// It also helps us to distinguish between parallel sessions run on different clients.
// Common session only works if we use a common session name starting with "_authhttp".
// We must use the "_authttp" prefix, because it is hardcoded in the session name of
// class Auth_HTTP.
// Whenever we use Auth_HTTP, we need to explicitly switch off "sessionSharing", because
// it interfers with the session mechanism of the other Auth modules. If we would
// keep this switched on, then users could steal each others session, which would cause
// a major security breach.
// Note: The realm and sessionName used here, must be the same as in
// class ilBaseAuthentication. Otherwise, Soap clients won't be able to log
// in to ILIAS.
$realm = CLIENT_ID;
//$this->writelog('ilias.php realm='.$realm);
// END WebDAV: Share session between browser and WebDAV client.
//var_dump($_SESSION);
//echo "1-".$ilSetting->get("soap_auth_active")."-";
// if soap authentication activated and soap credentials given
if ($ilSetting->get("soap_auth_active") && !empty($_GET["ext_uid"]) && !empty($_GET["soap_pw"]) || $user_auth_mode == AUTH_SOAP) {
define('AUTH_CURRENT', AUTH_SOAP);
} else {
if ($ilSetting->get("shib_active") && $_SERVER[$ilSetting->get("shib_login")]) {
define("AUTH_CURRENT", AUTH_SHIBBOLETH);
} else {
define("AUTH_CURRENT", $user_auth_mode);
}
}
//var_dump($_SESSION);
// Determine the authentication method to use
if (defined("WebDAV_Authentication") && WebDAV_Authentication == 'HTTP') {
// Since WebDAV clients create the login form by
// themselves, we can not provide buttons on the form for
// choosing an authentication method.
// If the user is already logged in, we continue using
// the current authentication method. If the user is
// not logged in yet, we use the "multiple authentication"
// method using a predefined sequence of authentication methods.
$authmode = AUTH_CURRENT ? AUTH_CURRENT : AUTH_MULTIPLE;
} else {
$authmode = AUTH_CURRENT;
}
//var_dump($authmode);
// if no auth mode selected AND default mode is AUTH_APACHE then use it...
if ($authmode == null && AUTH_DEFAULT == AUTH_APACHE) {
$authmode = AUTH_APACHE;
}
switch ($authmode) {
case AUTH_LDAP:
include_once './Services/LDAP/classes/class.ilAuthContainerLDAP.php';
$ilAuth = ilAuthFactory::factory(new ilAuthContainerLDAP());
break;
case AUTH_RADIUS:
include_once './Services/Radius/classes/class.ilAuthContainerRadius.php';
$ilAuth = ilAuthFactory::factory(new ilAuthContainerRadius());
break;
case AUTH_SHIBBOLETH:
// build option string for SHIB::Auth
$auth_params = array();
$auth_params['sessionName'] = "_authhttp" . md5($realm);
$ilAuth = new ShibAuth($auth_params, true);
break;
case AUTH_CAS:
include_once './Services/CAS/classes/class.ilAuthContainerCAS.php';
$ilAuth = ilAuthFactory::factory(new ilAuthContainerCAS());
break;
case AUTH_SOAP:
include_once './Services/SOAPAuth/classes/class.ilAuthContainerSOAP.php';
$ilAuth = ilAuthFactory::factory(new ilAuthContainerSOAP());
break;
case AUTH_MULTIPLE:
include_once './Services/Authentication/classes/class.ilAuthContainerMultiple.php';
$ilAuth = ilAuthFactory::factory(new ilAuthContainerMultiple());
break;
case AUTH_ECS:
include_once './Services/WebServices/ECS/classes/class.ilAuthContainerECS.php';
$ilAuth = ilAuthFactory::factory(new ilAuthContainerECS());
break;
case AUTH_OPENID:
include_once './Services/OpenId/classes/class.ilAuthContainerOpenId.php';
$ilAuth = ilAuthFactory::factory(new ilAuthContainerOpenId());
break;
case AUTH_INACTIVE:
require_once './Services/Authentication/classes/class.ilAuthInactive.php';
$ilAuth = new ilAuthInactive(AUTH_MODE_INACTIVE);
break;
case AUTH_APACHE:
include_once './Services/AuthApache/classes/class.ilAuthContainerApache.php';
ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
$ilAuth = ilAuthFactory::factory(new ilAuthContainerApache());
break;
// begin-patch auth_plugin
// begin-patch auth_plugin
case AUTH_LOCAL:
global $ilLog;
include_once './Services/Database/classes/class.ilAuthContainerMDB2.php';
$ilAuth = ilAuthFactory::factory(new ilAuthContainerMDB2());
break;
default:
// check for plugin
if ($authmode) {
foreach (self::getAuthPlugins() as $pl) {
$container = $pl->getContainer($authmode);
if ($container instanceof Auth_Container) {
$GLOBALS['ilLog']->write(__METHOD__ . ' Using plugin authentication with auth_mode ' . $authmode);
$ilAuth = ilAuthFactory::factory($container);
break 2;
}
}
}
#$GLOBALS['ilLog']->write(__METHOD__.' Using default authentication');
// default for logged in users
include_once './Services/Database/classes/class.ilAuthContainerMDB2.php';
$ilAuth = ilAuthFactory::factory(new ilAuthContainerMDB2());
break;
// end-patch auth_plugin
}
// Due to a bug in Pear Auth_HTTP, we can't use idle time
// with WebDAV clients. If we used it, users could never log
// back into ILIAS once their session idled out. :(
if (!defined("WebDAV_Authentication") || WebDAV_Authentication != 'HTTP') {
$ilAuth->setIdle(ilSession::getIdleValue(), false);
}
$ilAuth->setExpire(0);
ini_set("session.cookie_lifetime", "0");
//echo "-".get_class($ilAuth)."-";
$GLOBALS['ilAuth'] =& $ilAuth;
ilSessionControl::checkExpiredSession();
$ilBench->stop('Auth', 'initAuth');
}
