Forum OpenACS Q&A: How to force login for the Site?

Collapse
1: How to force login for the Site?
Posted by Nima Mazloumi on 01/24/04 01:09 PM
Hi everybody,

I have installed OpenACS/dotLRN and the PHP module for the AOLServer. While all the OpenACS links force login all of the PHP files are visible, even under SSL.

Is the a way to force the user to login first? Is there a AOLServer or OpenACS parameter?

I want to force login right from root
https://my.server.de:433/

Greetings,
Nima

Collapse
2: Re: How to force login for the Site? (response to 1)
Posted by Nima Mazloumi on 01/25/04 04:34 AM
It would be great to force every user to go through OpenACS's login before deeper links are served (for instance PHP files under the www path of OpenACS).

Greetings,
Nima

Collapse
3: Re: How to force login for the Site? (response to 1)
Posted by Andrew Piskorski on 01/25/04 05:37 PM
Nima, what "PHP files" are you referring to exactly? Now that you've installed AOLserver's PHP support, what PHP application are you trying to use with it?

Sounds like what you want is a single integrated log-in across your OpenACS and PHP applications, but I don't think anyone's going to be able to help very much unless you tell us what those PHP applications are, how they (or if) they are currently attempting to do their own stand-alone login/authentication, etc.

On the other hand, if PHP application isn't trying to do much of anything with login or authentication on its own, then probably all you really want is to force an OpenACS login whenever the client requests certain classes of URLs. You should be able to do that with an AOLserver registered filter on all those URLs calling ad_maybe_redirect_for_registration or some similar OpenACS login proc. There might be a better way, perhaps by fiddling with the request processor, but the registered filter route should work.

Collapse
4: Re: How to force login for the Site? (response to 1)
Posted by Chris Davies on 01/25/04 08:33 PM
I had a similar issue where I wanted to make the entire site protected -- but ended up having to make everything I wanted to be protected behind a subsite.  When you limit a site to members only, it spins in an infinite redirect since you cannot serve the content required to have someone log in (I think).

So, I don't believe without some code mangling you'll be able to have a site that is members only.

Collapse
5: Re: How to force login for the Site? (response to 1)
Posted by Randy O'Meara on 01/26/04 07:36 AM
I believe that the new (with 5.0) way to require authenticated access is auth::require_login.

Am I correct in assuming that this proc obsoletes ad_maybe_redirect_for_registration?

Collapse
6: Re: How to force login for the Site? (response to 1)
Posted by Nima Mazloumi on 01/26/04 11:11 AM
I want to protect simple php files. We have many departments here at the university where the professor has created interactive learning modules with php. They want to restrict access to the learning module over dotlrn so that only university members can see the pages.
Collapse
7: Re: How to force login for the Site? (response to 6)
Posted by Malte Sussdorff on 01/26/04 01:35 PM
I think one way to do it is to make the TCL API visible in PHP e.g. by having a command "nsd_tcl(tcl-command, return-variable)" work there. To do this, you'd have to write something up in C I assume and put it to use in your aolserver installation.

Once this is done (ask Bjoern Kiesbye or at the AOLserver list if this really is feasible and if someone has done it / would be willing to do it), you can add a check to the PHP packes, calling acs's permission::require_permission.

If you want to go down that road, let's talk further, as I think having the capabilities for calling ACS functions from PHP (and vice versa), will help a lot in the rollout of bundled solutions (as some PHP software is considerably better than OpenACS in certain, specific areas). Last but not least it makes it easier to market.

Collapse
8: Re: How to force login for the Site? (response to 6)
Posted by Patrick Giagnocavo on 01/26/04 04:50 PM
Nima, Malte,

I think the "best" way is as Malte suggests.  Make PHP a first-class language inside OpenACS as much as possible.

However, the "quick" way is to write a small bit of PHP code that talks to the database and essentially mimics what OpenACS does.

Since the SQL queries are the same, you need only figure out how to code the test for being logged in or not in PHP.  You should be able to use the cookies information sent in the header.

Then, put all this functionality in a single .php file.  Tell your internal users that all they need to do is to include this file in the beginning of their PHP scripts for each script that needs to be protected.

I seem to recall that there is a way in PHP to automatically run a PHP script before running the asked-for script, but I cannot seem to locate the URL.

Collapse
9: Re: How to force login for the Site? (response to 1)
Posted by Andrew Piskorski on 01/27/04 03:32 AM
Malte, Patrick, yes it would be cool to have PHP be able to actually call the OpenACS registration and security code, even more so to have efficient bi-directional foreign function calls between the two languages.

But that isn't what Nima is asking for. From what he's said so far, sounds like all he needs is to restrict access to a bunch PHP pages to users who pass certain OpenACS-based authentication checks (must be logged in, must be a member of the university, etc.) As long as he can predict the URLs of those PHP pages and code them into a registered filter, he's set. He doesn't actually need any communication at all between PHP and Tcl, he just needs AOLserver to refuse to serve the PHP pages unless you're logged into OpenACS, and to redirect to the OpenACS login page if you're not. Should be easy.

Collapse
10: Re: How to force login for the Site? (response to 1)
Posted by Nima Mazloumi on 01/27/04 10:41 AM
Andrew: Do you have some code snippets how I can create such a filter?
Collapse
11: Re: How to force login for the Site? (response to 10)
Posted by Andrew Piskorski on 01/28/04 07:39 PM
No, but try looking in OpenACS for ns_register_filter examples: 

$ cd packages
$ find . -name "*.tcl" -print | xargs grep ns_register_filter
./acs-tcl/tcl/request-processor-init.tcl:  ns_register_filter preauth $method /resources/* rp_resources_filter
./acs-tcl/tcl/request-processor-init.tcl:  ns_register_filter preauth $method * rp_filter
./acs-tcl/tcl/request-processor-init.tcl:	ns_register_filter $kind $method $path rp_invoke_filter \
./acs-bootstrap-installer/bootstrap.tcl:    ns_register_filter preauth GET * bootstrap_write_error
./acs-bootstrap-installer/bootstrap.tcl:    ns_register_filter preauth POST * bootstrap_write_error
./acs-bootstrap-installer/bootstrap.tcl:    ns_register_filter preauth HEAD * bootstrap_write_error

What you'll want is something like: 

ns_register_filter preauth * {/my-php-pages/*.php} my_security_filter_proc

Your my_security_filter_proc will need to handle the security check, then redirect to the login page while passing the appropriate info so that after logging in, the login page will redirect the user back to where he wanted to go.