There should not be any necessity to write the session once changes are
being made to it. We now track whether changes were made and write
the session when responding to the user's request if so.
The if condition for revoking authentication if the username changed relied on having the `$_SERVER' variable set which was used for authentication.
Authentication is now revoked if the username changed or external authentication is no longer in effect.
refs #6462
This reverts commit 64954e9924.
If the strip_username_regex is configured on the autologin backend and applies on a user's name,
the authenticated user's username does never match the REMOTE_USER server variable.
Thus the application will logout/login on every request which results in a redirect loop.
refs #6462
Remove methods from manager because autologin
is now handled with special backends (AutoLoginBackend).
The session is used to store the status about a remote
user authentication to send a 401 header to the client
upon logout.
refs #6461
Instead of fetchDN, authentication now uses hasUser to check if the user
exists before querying the password, to prevent the exception from messing
up the whole authentication process
It's not safe to rely on PHP_AUTH_USER and PHP_AUTH_TYPE because
PHP cgi handlers (fgcid for example) only set the REMOTE_USER environment variable
and the authentication type for negogiation methods (Kerberos for example) is neither
Basic nor Digest.
We may have to add REDIRECT_REMOTE_USER for authentication for proxy setups.
Check if authentication is possible during authentication, to generate more
useful error and log messages, in case the backend configuration is wrong
ref #6457
Class names in namespaces should not be chosen as once we didn't have
such. The fact that we already did "use Db\Connection as DbConnection"
is the best hint that naming was wrong.
So this patch renames Db\Connection to Db\DbConnection and does the
same with DbQuery. DbQuery has been adjusted to fit our new SimpleQuery
and to handle the new Filter implementation.
Drop external auth configuration from config.ini and move
implementation into a single backend provider named
'autologin'. This provider can strip realm names from
username with a custom regexp.
fixes#6081
Add authentication backend type msldap with default values for user_class
and user_name_attribute. Backend type ldap now logs an error when user_class
and user_name_attribute ist not configured. Rename membership.ini to
memberships.ini since all our INI configuration files are in the plurar
where it makes sense. The AuthenticationController now handles
authentication
refs #5685
refs #5638fixes#5218
Provide a new settings authenticationMode and delegate the
authentication handling to the webserver when the external authentication mode
is set. Add a new view 'logout' that will be shown after logout from external
authentication as the regular redirect to login is not possible.
refs #5405
Johannes Meyer
Eric Lippmann
Alexander Klimov
Marius Hein
Matthias Jentsch
Thomas Gelf