Password Protecting Admin Functions in CakePHP

I just wanted to document this for easy future reference but if you don't want to hook up a complex user adminstration with authorization components, you can simply specify that the admin path be password protected in either your .htaccess file or in your httpd.conf. Many thanks to Dragos.

(This actually applies to password protecting any folder and not specific to CakePHP, I just happen to be using it for CakePHP.)

In your .htaccess file:

AuthUserFile /my/passwd/file
AuthName "Title"
AuthType Basic
Require valid-user 

Or in your httpd.conf (or similar apache configuration file):

<Location "/admin">
  AuthType Basic
  AuthName "Title"
  AuthUserFile /my/passwd/file
  Require valid-user
</Location>

If you need to generate the password file, you can do so with the following linux command:

htpasswd -c /my/passwd/file bob 

Alternatively, you can use an online generator and copy the contents into a new file (useful if you have to FTP the password file).

Published January 29, 2008
Categorized as Servers
Short URL: https://snook.ca/s/871

Conversation

15 Comments · RSS feed
Adam said on January 29, 2008

I don't know if anyone has written this before but cake actually tells you when it's being accessed via an admin route, so i tend to check for this flag and then redirect users to my login page, something along the lines of:


<?php
class AppController extends Controller {
	function beforeFilter() {
		$this->checkSession();
	}

	function checkSession() {
        if (!$this->Session->check('user') && isset($this->params['admin'])) {
            $this->redirect('/users/login?from='.urlencode($this->params['url']['url']));
            exit();
        }
	else {
		$user = $this->Session->read('user');
		$this->set('user', $user);
	}
    }
}
?>

Matt Curry said on January 29, 2008

I think you forgot to wrap the Location bit around the code for the htaccess. Otherwise all the files will be protected, not just /admin.

Paul Decowski said on January 29, 2008

I think you forgot to wrap the Location bit around the code for the htaccess. Otherwise all the files will be protected, not just /admin.

Nope.

.htadmin apply to the directory they're in (and subdirectories to be specific).

Paul Decowski said on January 29, 2008

Sorry. I meant .htaccess of course.

Matt Curry said on January 29, 2008

.htadmin apply to the directory they're in (and subdirectories to be specific).

Right, but in this scenario the /admin path is not a real directory, so he would be putting the file in the webroot.

Paul Decowski said on January 30, 2008

Right, but in this scenario the /admin path is not a real directory, so he would be putting the file in the webroot.

.htaccess don't allow Location or Direcotry sections so Apache will throw an internal server error. I'm not sure if it's possible to have server.

I've never used CakePHP but if, as you're saying, /admin is not a physical path then you certainly cannot set up Apache authentication from .htaccess.

Eugene Sutula said on January 30, 2008

I wanted to set a password for admin fast, but I had an internal error because of this too. So I worked out another solution using:
function beforeFilter ()
in app_controller.php

Matt Curry said on January 30, 2008

.htaccess don't allow Location or Direcotry sections so Apache will throw an internal server error.

I was wondering about that. If you follow the link to the thread the guy who suggested the solution implies it's possible.

Anthony said on January 30, 2008

Just a small caveat to the use of:

htpasswd -c /my/passwd/file bob

Be careful with the -c flag, I use this feature so rarely that I often have to check an online resource (from my server co's site) for accuracy.

The -c flag creates a new password file, so if you're adding an additional user to the file omit the flag, or at least make sure you add all the users you want in the new file.

htpasswd -c /my/passwd/file user user1 user2

My own server does not warn me that the -c flag will obliterate the old version of the file.

Luke said on January 30, 2008

hi it works from the .conf file - but there is another option to do with the Auth class and Security in Cake 1.2 (Basic HTTP Authentication)

http://www.battez.org/blog/2007/10/31/cakephp-12-cake-security-component-http-auth-example/

it uses the beforeFilter as stated above, in your app_controller

Luke said on February 01, 2008

Hmm. I have been trying to get this to work with a <VirtualHost> set site, by putting the <Location "/admin"> within in the <VirtualHost> directive, but it gives me a 401.shtml page on going to any /admin/ pages and this is a HTTP Auth error.

I wonder if it is a permissions error with the way I made the htpasswd file? doesn anyone know more about Apache, VirtualHosts and Location ?

Paul Decowski said on February 01, 2008

(…) it gives me a 401.shtml page on going to any /admin/ (…)

Make sure the path to the htpasswd file is correct and that it has appropriate access rights.

Kyle Hayes said on February 02, 2008

FYI, you can use this similar action on IIS as well with the ISAPI_Rewrite module installed and dropping it into httpd.ini

Luke said on February 26, 2008

"Make sure the path to the htpasswd file is correct and that it has appropriate access rights."
Paul - thanks for your reply: what access rights would I set for the htpasswd file in a virtualhosts set up though? You mean allow Apache access right - so would the group having read access be correct? I am evidently not very expereinced with permissions on unix :(

Stevie said on December 06, 2008

I found an easy way to enabling a security check for the whole admin-route solely based on a htaccess-file.

You just have to create a folder named 'admin' (or what ever your admin-route is called) and put a file named .htaccess in there without any location or directory enclosement.

AuthType Basic
AuthName "secured area"
AuthUserFile /path/to/passwdfile
Require valid-user

Since CakePHP always checks for existing files before envoking the url-rewrite the admin folder will be found and the htaccess will be executed. After being authenticated CakePHP finds out that the "file" is not present in the folder admin and envokes the url-rewriting as normal.

Did I miss something or does this work for everyone who just wants to enable a very simple security?

Sorry, comments are closed for this post. If you have any further questions or comments, feel free to send them to me directly.