We are still using this plugin, it basically works for the WP 5.9 we are using. However, having just updated to PHP 8, it started failing due to the class constructor syntax changing. All I’ve done to get it working again is change
function HTTPAuthenticationPlugin() {
to
function __construct() {
in http-authentication/http-authentication.php, in case that helps anyone else out.
]]>Hello,
there is problem with the way how plugin handle filter hook via:
add_filter(‘authenticate’, array($this, ‘authenticate’), 10, 3);
Lets suppose, that other auth plugins using similar hooks to authenticate by different means. I personally observer this problem with LDAP Auth.
Suppose that you have hooks like this (and please do not ask me why all plugins authors choose 10 as filter priority, I do not know ??
add_filter(‘authenticate’, array($this, ‘ldap_auth’), 10, 3);
add_filter(‘authenticate’, array($this, ‘authenticate’), 10, 3);
add_filter( ‘authenticate’, ‘wp_authenticate_username_password’, 20, 3 );
add_filter( ‘authenticate’, ‘wp_authenticate_spam_check’, 99 );
Base on docs:
https://codex.www.ads-software.com/Plugin_API/Filter_Reference/authenticate
there are 3 parameters of the hooked function ($user, $username, $password)
$user (null or WP_User or WP_Error) (required) null indicates no process has authenticated the user yet. A WP_Error object indicates another process has failed the authentication. A WP_User object indicates another process has authenticated the user.
Lets see how HTTP Auth use this variables:
function authenticate($user, $username, $password) {
$user = $this->check_remote_user();HA! there is a problem on the first line! Suppose that LDAP Auth plugin hooked before HTTP Auth and successfully authenticated user. But HTTP Auth without checking value of $user overwrite it by returned value from checking http user env variable. If it is not set, whole authentication will fail, even if the user was successfully authenticate by the previous plugin!.
What should be done instead in each! auth plugin is to check, if the previous authenticate filter did not set $user variable to wp_user object, for example:
function authenticate($user, $username, $password) {
if (! empty($user) && ! is_wp_error($user)) {
return $user;
}
$user = $this->check_remote_user();Otherwise each subsequent plugin will simply overwrite $user by it’s results.
Could you please include proposed check into the code, I am too lazy to do backporting. :-)))
Kind regards
Litin
I setup a login_redirect filter to redirect users that login to the posts page rather than their profile page. It works when logging in via wp-login, but when http authentication plugin is enabled and they login via a header variable the user doesn’t get redirected. I don’t think the wordpress login_redirect filter fires during the http authentication plugin process.
May need to call apply_filters on login_redirect somewhere in your plugin. See below.
/**
* Filter the login redirect URL.
*
* @since 3.0.0
*
* @param string $redirect_to The redirect destination URL.
* @param string $requested_redirect_to The requested redirect destination URL passed as a parameter.
* @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise.
*/
$redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );HI,
Great plugin however I’m having an issue on a multisite environment. Basically, when a new user logs into site1, they are added as a subscriber. However, when that same user logs into site2, they are not added as a subscriber and are told they do not have permission. I can’t seem to figure out why. Can anyone provide any insight?
Thanks,
Al
]]>Hi,
Thanks for a great plugin, we’ve had great use out of it.
Just upgraded a site using HTTP authentication (v4.5) to WordPress 3.9. Now we cannot add new users via “Dashboard > Users > Add New”
The error “ERROR: Please enter your password.” is displayed at the top of the add new user screen.
Disabling the HTTP authentication plugin, creating the user with a WordPress password, then re-enabling the plugin is a workaround.
TIA
Sok
I do realize that the plugin page says this is compatible up to WP 3.4.2, but I’ve been using this plugin to authenticate users using Shibboleth on WP up to version 3.6.1. However, when I updated to 3.7.1 it stopped working. It appears that now when you click the “Log In with HTTP authentication” button it tries to redirect to a non-SSL page instead of to the encrypted page like it did before the upgrade. I get this kind of log message in the Apache log for my SSL-encrypted host before the upgrade:
192.168.0.1 – – [28/Oct/2013:10:28:22 -0400] “GET /Shibboleth.sso/Login?target=https%3A%2F%2Fname.of.my.server%2Ftestsite%2Fwp-login.php%3Fredirect_to%3Dhttps%253A%252F%252Fname.of.my.server%252Ftestsite%252Fwp-admin%252F HTTP/1.1” 302 809
Then, post upgrade to WP 3.7.1 this same message now shows up in the logs for the unencrypted site, but with a 404 error since Shibboleth isn’t configured for an unencrypted connection:
192.168.0.1 – – [08/Nov/2013:16:43:05 -0500] “GET /Shibboleth.sso/Login?target=https%3A%2F%2Fname.of.my.server%2Fwp-login.php%3Fredirect_to%3Dhttps%253A%252F%252Fname.of.my.server%252Ftestsite%252Fwp-admin%252F HTTP/1.1” 404 7934 “-” “Mozilla/5.0 (Windows NT 6.2; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0”
Any idea what would cause this change in behavior?
]]>Hi, I have just installed this plugin and put the 2 .htaccess files in the relevant directories and I am getting a popup window for the username and password but after entering it I am getting the following error message ??
Can anybody point me in the right direction??
Cheers
“Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
https://www.ads-software.com/extend/plugins/http-authentication/
]]>I noticed that while the logout function in WordPress exists, and logs you out of WordPress, you’re not required to re-enter your username and password to get back into the admin area.
How hard would that be?
https://www.ads-software.com/extend/plugins/http-authentication/
]]>I have this plugin working wonderfully using phpass to auth against the wordpress user table.
One thing I’ve lost is tha ability reset a forgotten password. I was thinking it would be cool to make the site 401 page make that available.
I’ve never studied how the WordPress 404 page works, could we do something similar with the 401 page?
Even if WP didn’t do it out of the box we could do it htaccess if needs be.
https://www.ads-software.com/extend/plugins/http-authentication/
]]>For a multisite network, it would be wonderful if the settings for individual sites could be (optionally?) administered in the Network Admin section. The logout URLs would have to support parameters (like base site URL) for individual sites in the network, but it could be global. That, and/or possibly only allow configuration by Super Admin.
Thanks!
https://www.ads-software.com/extend/plugins/http-authentication/
]]>Hi,
We are trying to migrate from a JSP based site to WP. And like to evaluate if this plugin will help. We are new to WordPress, could somebody guide on the sample header/payload that we receive on the Http Server side ? And what the expected Successful and unsuccessful authentication response should look like.
Thanks..in advance.
https://www.ads-software.com/extend/plugins/http-authentication/
]]>Hello,
I’m trying to support proper logout (or as good as it gets with HTTP authentication). I’ve found using the https://[email protected] syntax works just fine for me in the browser. The user is logged out as I would expect and a new login is required to continue. Unfortunately, using this as the logout URL in the plugin causes the ‘@’ to be stripped (https://logoutsomeurl.com).
I tried using proper URL encoding (%40%), but this didn’t seem to work either.
Any tips?
Thanks.
https://www.ads-software.com/extend/plugins/http-authentication/
]]>I’m trying to get the http-authentication plugin to work with my university’s Shibboleth service. I installed the plugin, configured .htaccess (which is living in the root of the site), and have confirmed that the server is populating the “REMOTE_USER” environment variable.
Whenever I hit wp-login.php, after logging in via Shibboleth, I end up in a redirect loop.
https://<mySite>/wp-login.php?redirect_to=<mySite>%2Fwp-admin%2Fprofile.php
redirects to
https://<mySite>/wp-admin/profile.php
which redirects back
Completely stumped. Any ideas?
https://www.ads-software.com/extend/plugins/http-authentication/
]]>When I attempt to logout after I get the “Do you really want to logout” screen and click Log Out, I get a “WordPress failure Notice” message in the page title but the page itself remains unchanged.
What’s going on? I can suppress the login/logout links, but that involves adding a plugin and configuring it for all the sites on our network.
I am tempted to hack the HTTP plugin to simply redirect back to the website instead of calling wp_logout(). But I’d rather understand what’s going on and fix it.
Thanks.
https://www.ads-software.com/extend/plugins/http-authentication/
]]>Hi,
When I go to /wp-admin/ which redirects to /wp-login.php the http-authentication plugin fails with “ERROR: No user found in server variables.”
I’ve inserted a debugging loop which prints all the env variables seen at that stage, code below:
foreach($_SERVER as $key_name => $key_value) {
print $key_name . " = " . $key_value . "<br>";
}This shows that the REMOTE_USER variable is missing (as is AUTH_TYPE).
However, if I put that same code snippet in a getenv.php file in the /wp-admin/ directory and go to it in my web browser, I can see that the REMOTE_USER (and AUTH_TYPE) are correctly set.
Any idea why, when going through wp-login.php the REMOTE_USER variable isn’t available to the http-authentication plugin?
Does something intercept / block it?
Parameters from getenv.php:
REMOTE_PORT = 22925
REMOTE_USER = prk
AUTH_TYPE = PUBCOOKii
GATEWAY_INTERFACE = CGI/1.1Parameters from within http-authentication.php:
REMOTE_PORT = 14338
GATEWAY_INTERFACE = CGI/1.1Any help gratefully appreciated.
prk.
https://www.ads-software.com/extend/plugins/http-authentication/
]]>I have been using basic authentication via an Apache Kerberos module for sometime. It authenticates users to an Active Directory DC. I have installed this plugin to integrate WordPress authentication.
REMOTE_USER variable is set to [email protected] and so no match occurs. I am not able to create usernames in the that format since WordPress allows only lower case and no @ symbols.
To the best of my knowledge, although it has been a few years since I set it up, there is no way to change the REMOTE_USER value to strip the @domain part (which I am assuming is the problem).
How can I integrate these two systems?
Many thanks.
https://www.ads-software.com/extend/plugins/http-authentication/
]]>The HTTP-Authentication plugin works extremely well with our setup but one thing has me stumped; how on earth do I login as “admin”? I would prefer to have all domain users be relatively low privilege and log in specifically as an admin user to do, well, administration. Also it would be nice to be able manually to log in as someone else who are in fact member of the domain, e.g. if I am at another users computer and want to log into the WordPress site as myself without having to log out of the workstation. I have tried all sorts of gymnastics, even creating a new wp-login.php for manual overrides, but HTTP-Authentication is simply *too* robust – it will not fail :-). I suppose it is in every possible meaning of the word a compliment but in this particular situation it is driving me bonkers. Is this even possible?
https://www.ads-software.com/extend/plugins/http-authentication/
By the way, I am running IIS and authenticate via Windows Authentication challenge/response.
]]>Been using this plugin since several versions ago and it’s under active support and keeps getting better. It’s currently in use on dozens of our blogs.
This is the only plugin that we deploy by default with all new WP instances at our school.
https://www.ads-software.com/extend/plugins/http-authentication/
]]>Hi,
i need a help with this plugin.
I installed the plugin, configured, and when I go into the wordpress he begins to make an infinite loop between the wp-login.php and profile.php.
I am using Win2008 Server and WordPress 3.1.1 intalled at the root
I did it in a clean version of wordpress and the error is the same.
Example:
the first time, the plugin works ok., and create the user SERVERuser, no “\”, ok, but after logout and back to wp-login.php, a loop infinite begins.
————————————————————
https://server/wp-admin/profile.php
https://server/wp-login.php?redirect_to=http%3A%2F%2Fserver%2Fwp-admin%2Fprofile.php
————————————————————
help me please.
Sorry for english, google translator
Bill
https://www.ads-software.com/extend/plugins/http-authentication/
]]>