[geeklog-cvs] Geeklog-1.x/system lib-webservices.php,1.35,1.36
Dirk Haun
dhaun at qs1489.pair.com
Thu May 1 13:01:46 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv1723/system
Modified Files:
lib-webservices.php
Log Message:
It doesn't work, but I didn't want to lose the code: This is how WSSE authentication _would_ work if we had access to the user's _unencrypted_ password ...
Index: lib-webservices.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-webservices.php,v
retrieving revision 1.35
retrieving revision 1.36
diff -C2 -d -r1.35 -r1.36
*** lib-webservices.php 31 Mar 2008 20:03:23 -0000 1.35
--- lib-webservices.php 1 May 2008 17:01:43 -0000 1.36
***************
*** 718,722 ****
function WS_authenticate()
{
! global $_CONF, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
$uid = '';
--- 718,722 ----
function WS_authenticate()
{
! global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
$uid = '';
***************
*** 733,736 ****
--- 733,797 ----
COM_errorLog("WS: Attempting to log in user '$username'");
}
+
+ /** this does not work! *******************************************************
+
+ } elseif (!empty($_SERVER['HTTP_X_WSSE']) &&
+ (strpos($_SERVER['HTTP_X_WSSE'], 'UsernameToken') !== false)) {
+
+ // this is loosely based on a code snippet taken from Elgg (elgg.org)
+
+ $wsse = str_replace('UsernameToken', '', $_SERVER['HTTP_X_WSSE']);
+ $wsse = explode(',', $wsse);
+
+ $username = '';
+ $pwdigest = '';
+ $created = '';
+ $nonce = '';
+
+ foreach ($wsse as $element) {
+ $element = explode('=', $element);
+ $key = array_shift($element);
+ if (count($element) == 1) {
+ $val = $element[0];
+ } else {
+ $val = implode('=', $element);
+ }
+ $key = trim($key);
+ $val = trim($val, "\x22\x27");
+ if ($key == 'Username') {
+ $username = $val;
+ } elseif ($key == 'PasswordDigest') {
+ $pwdigest = $val;
+ } elseif ($key == 'Created') {
+ $created = $val;
+ } elseif ($key == 'Nonce') {
+ $nonce = $val;
+ }
+ }
+
+ if (!empty($username) && !empty($pwdigest) && !empty($created) &&
+ !empty($nonce)) {
+
+ $uname = addslashes($username);
+ $pwd = DB_getItem($_TABLES['users'], 'passwd',
+ "username = '$uname'");
+ // ... and here we would need the _unencrypted_ password
+
+ if (!empty($pwd)) {
+ $mydigest = pack('H*', sha1($nonce . $created . $pwd));
+ $mydigest = base64_encode($mydigest);
+
+ if ($pwdigest == $mydigest) {
+ $password = $pwd;
+ }
+ }
+ }
+
+ if ($WS_VERBOSE) {
+ COM_errorLog("WS: Attempting to log in user '$username' (via WSSE)");
+ }
+
+ ******************************************************************************/
+
} elseif (!empty($_SERVER['REMOTE_USER'])) {
/* PHP installed as CGI may not have access to authorization headers of
More information about the geeklog-cvs
mailing list