Page 1 of 1

Hack to use Apache authentication

PostPosted: Thu Aug 19, 2010 10:11 pm
by LeeRenewData
There may be an easier way to do this but my company has our wiki and other web apps (including TestLink) on an Apache server that has its own authentication (I think its basic authentication but changing soon to LDAP). So we don't want to have another login to TestLink or have to manage another password if we don't have to. We do still need to use the TestLink user management to assign roles for authorization. I originally did this hack on TL 1.7.4 but now did it on 1.8.5. It would be nice if this were a built in option. I'll submit an enhancement request for it.

With these changes in place our TestLink opens up already logged in as the user login that matches the one I already authenticated with our Apache server as.

In /lib/functions/user.class.php I made this change to just always return OK so it doesn't matter what passwords in are in the TestLink DB;

public function comparePassword($pwd)
// Lee - hack to ignore local passwords and just use Apache authentication
return tl::OK;

And then changed index.php to "require_once('doAuthorize.php');" , "$login = $_SERVER['PHP_AUTH_USER'];", "doDBConnect($db);", and "doAuthorize($db,$login,$pwd,$msg);"
The key is setting "$login = $_SERVER['PHP_AUTH_USER']"

WARNING: I make no guarantees that this is a "secure" change to make. I also renamed the logout.php file so that a user couldn't logout and then log back in with another user's login (and any password). It might be better (maybe easier) to change login.php to use the apache session username to do this?

{{ The whole index.php file }}
* TestLink Open Source Project -
* This script is distributed under the GNU General Public License 2 or later.
* Filename $RCSfile: index.php,v $
* @version $Revision: 1.19 $
* @modified $Date: 2008/10/12 08:11:56 $ by $Author: schlundus $
* @author Martin Havlat
* This file is main window. Include authorization of user and define frames (navBar and main).

$reqURI = isset($_GET['reqURI']) ? $_GET['reqURI'] : 'lib/general/mainPage.php';

// Lee 2008-07-21 Use Apache BASIC Authentication instead of prompting user for username and password
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Use same username and pwd as Wiki';
} else {
//echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
//echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";

$_POST = strings_stripSlashes($_POST);

// Lee 2008-07-21 Use Apache BASIC Authentication instead of prompting user for username and password
// $_SESSION['user'] = $_SERVER['PHP_AUTH_USER'];
$login = $_SERVER['PHP_AUTH_USER'];
$pwd = ''; // We don't use this

$op = doDBConnect($db);

if ($op['status'])

//verify the session during a work
if (!isset($_SESSION['currentUser']))
redirect(TL_BASE_HREF ."login.php?note=expired");
$smarty = new TLSmarty();
$smarty->assign('title', lang_get('main_page_title'));
$smarty->assign('titleframe', 'lib/general/navBar.php');
$smarty->assign('mainframe', $reqURI);

Re: Hack to use Apache authentication

PostPosted: Mon Aug 23, 2010 4:57 am
by Anakin
Hi Lee,
I am in the same situation as you, but instead of Apache my company is using Oracle and wishes to authenticate through an Oracle database. We didn't want to have another log in at Testlink or manage another set of credentials.

Can i implement your changes to suit my oracle databse? Are there any areas i need to take note of to make it work? Sorry, but i'm new to php and testlink. i did a couple of googling and searching and yours was the closest to what i'm doing.
Just a note, we're using the same oracle Data Base for JIRA as well.

Thanks in advance!

Re: Hack to use Apache authentication

PostPosted: Wed Sep 01, 2010 6:47 am
by narsu
Thanks Lee for important hack!

This should be get as feature for testlink (I have solving one installation, and this could be a good solution)



Re: Hack to use Apache authentication

PostPosted: Sun Jul 17, 2011 11:24 pm
by elygre
We have taken the above hack, and created a hopefully more durable solution, which I have also suggested for inclusion into testlink proper. The issue is at

(The most important change is that the authentication is managed by a configuration variable, so that the rest of the code behaves as normal *unless* you set "$tlCfg->authentication['method'] = 'PHP_AUTH_USER';" in custom_config.php. This does of course depend on the code being included into testlink proper, which hasn't happened yet)