Hack to use Apache authentication

1.8 related questions and discussions.
Please upgrade to LATEST 1.9.x.
No more fixes for 1.8.

Moderators: Amaradana, TurboPT, TL Developers

Hack to use Apache authentication

Postby LeeRenewData » Thu Aug 19, 2010 10:11 pm

There may be an easier way to do this but my company has our wiki and other web apps (including TestLink) on an Apache server that has its own authentication (I think its basic authentication but changing soon to LDAP). So we don't want to have another login to TestLink or have to manage another password if we don't have to. We do still need to use the TestLink user management to assign roles for authorization. I originally did this hack on TL 1.7.4 but now did it on 1.8.5. It would be nice if this were a built in option. I'll submit an enhancement request for it.

With these changes in place our TestLink opens up already logged in as the user login that matches the one I already authenticated with our Apache server as.

In /lib/functions/user.class.php I made this change to just always return OK so it doesn't matter what passwords in are in the TestLink DB;

public function comparePassword($pwd)
// Lee - hack to ignore local passwords and just use Apache authentication
return tl::OK;

And then changed index.php to "require_once('doAuthorize.php');" , "$login = $_SERVER['PHP_AUTH_USER'];", "doDBConnect($db);", and "doAuthorize($db,$login,$pwd,$msg);"
The key is setting "$login = $_SERVER['PHP_AUTH_USER']"

WARNING: I make no guarantees that this is a "secure" change to make. I also renamed the logout.php file so that a user couldn't logout and then log back in with another user's login (and any password). It might be better (maybe easier) to change login.php to use the apache session username to do this?

{{ The whole index.php file }}
* TestLink Open Source Project - http://testlink.sourceforge.net/
* This script is distributed under the GNU General Public License 2 or later.
* Filename $RCSfile: index.php,v $
* @version $Revision: 1.19 $
* @modified $Date: 2008/10/12 08:11:56 $ by $Author: schlundus $
* @author Martin Havlat
* This file is main window. Include authorization of user and define frames (navBar and main).

$reqURI = isset($_GET['reqURI']) ? $_GET['reqURI'] : 'lib/general/mainPage.php';

// Lee 2008-07-21 Use Apache BASIC Authentication instead of prompting user for username and password
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Use same username and pwd as Wiki';
} else {
//echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
//echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";

$_POST = strings_stripSlashes($_POST);

// Lee 2008-07-21 Use Apache BASIC Authentication instead of prompting user for username and password
// $_SESSION['user'] = $_SERVER['PHP_AUTH_USER'];
$login = $_SERVER['PHP_AUTH_USER'];
$pwd = ''; // We don't use this

$op = doDBConnect($db);

if ($op['status'])

//verify the session during a work
if (!isset($_SESSION['currentUser']))
redirect(TL_BASE_HREF ."login.php?note=expired");
$smarty = new TLSmarty();
$smarty->assign('title', lang_get('main_page_title'));
$smarty->assign('titleframe', 'lib/general/navBar.php');
$smarty->assign('mainframe', $reqURI);
Advanced user
Posts: 15
Joined: Fri Feb 09, 2007 11:34 pm
Location: Austin, TX

Re: Hack to use Apache authentication

Postby Anakin » Mon Aug 23, 2010 4:57 am

Hi Lee,
I am in the same situation as you, but instead of Apache my company is using Oracle and wishes to authenticate through an Oracle database. We didn't want to have another log in at Testlink or manage another set of credentials.

Can i implement your changes to suit my oracle databse? Are there any areas i need to take note of to make it work? Sorry, but i'm new to php and testlink. i did a couple of googling and searching and yours was the closest to what i'm doing.
Just a note, we're using the same oracle Data Base for JIRA as well.

Thanks in advance!
TestLink user
Posts: 9
Joined: Wed Aug 11, 2010 3:12 am

Re: Hack to use Apache authentication

Postby narsu » Wed Sep 01, 2010 6:47 am

Thanks Lee for important hack!

This should be get as feature for testlink (I have solving one installation, and this could be a good solution)


Advanced user
Posts: 43
Joined: Sat Feb 17, 2007 2:07 pm

Re: Hack to use Apache authentication

Postby elygre » Sun Jul 17, 2011 11:24 pm

We have taken the above hack, and created a hopefully more durable solution, which I have also suggested for inclusion into testlink proper. The issue is at http://mantis.testlink.org/view.php?id=4443.

(The most important change is that the authentication is managed by a configuration variable, so that the rest of the code behaves as normal *unless* you set "$tlCfg->authentication['method'] = 'PHP_AUTH_USER';" in custom_config.php. This does of course depend on the code being included into testlink proper, which hasn't happened yet)
TestLink user
Posts: 2
Joined: Sun Jul 17, 2011 11:15 pm

Return to TestLink 1.8 (OBSOLETE => EOL)[LOCKED]

Who is online

Users browsing this forum: No registered users and 3 guests