Password Protecting Admin Functions in CakePHP
I just wanted to document this for easy future reference but if you don't want to hook up a complex user adminstration with authorization components, you can simply specify that the admin path be password protected in either your .htaccess file or in your httpd.conf. Many thanks to Dragos.
(This actually applies to password protecting any folder and not specific to CakePHP, I just happen to be using it for CakePHP.)
In your .htaccess file:
AuthUserFile /my/passwd/file AuthName "Title" AuthType Basic Require valid-user
Or in your httpd.conf (or similar apache configuration file):
<Location "/admin"> AuthType Basic AuthName "Title" AuthUserFile /my/passwd/file Require valid-user </Location>
If you need to generate the password file, you can do so with the following linux command:
htpasswd -c /my/passwd/file bob
Alternatively, you can use an online generator and copy the contents into a new file (useful if you have to FTP the password file).
I don't know if anyone has written this before but cake actually tells you when it's being accessed via an admin route, so i tend to check for this flag and then redirect users to my login page, something along the lines of:
I think you forgot to wrap the Location bit around the code for the htaccess. Otherwise all the files will be protected, not just /admin.
.htadmin apply to the directory they're in (and subdirectories to be specific).
Sorry. I meant .htaccess of course.
Right, but in this scenario the /admin path is not a real directory, so he would be putting the file in the webroot.
.htaccess don't allow Location or Direcotry sections so Apache will throw an internal server error. I'm not sure if it's possible to have server.
I've never used CakePHP but if, as you're saying, /admin is not a physical path then you certainly cannot set up Apache authentication from .htaccess.
I wanted to set a password for admin fast, but I had an internal error because of this too. So I worked out another solution using:
function beforeFilter ()
I was wondering about that. If you follow the link to the thread the guy who suggested the solution implies it's possible.
Just a small caveat to the use of:
htpasswd -c /my/passwd/file bob
Be careful with the -c flag, I use this feature so rarely that I often have to check an online resource (from my server co's site) for accuracy.
The -c flag creates a new password file, so if you're adding an additional user to the file omit the flag, or at least make sure you add all the users you want in the new file.
htpasswd -c /my/passwd/file user user1 user2
My own server does not warn me that the -c flag will obliterate the old version of the file.
hi it works from the .conf file - but there is another option to do with the Auth class and Security in Cake 1.2 (Basic HTTP Authentication)
it uses the beforeFilter as stated above, in your app_controller
Hmm. I have been trying to get this to work with a <VirtualHost> set site, by putting the <Location "/admin"> within in the <VirtualHost> directive, but it gives me a 401.shtml page on going to any /admin/ pages and this is a HTTP Auth error.
I wonder if it is a permissions error with the way I made the htpasswd file? doesn anyone know more about Apache, VirtualHosts and Location ?
Make sure the path to the htpasswd file is correct and that it has appropriate access rights.
FYI, you can use this similar action on IIS as well with the ISAPI_Rewrite module installed and dropping it into httpd.ini
"Make sure the path to the htpasswd file is correct and that it has appropriate access rights."
Paul - thanks for your reply: what access rights would I set for the htpasswd file in a virtualhosts set up though? You mean allow Apache access right - so would the group having read access be correct? I am evidently not very expereinced with permissions on unix :(
I found an easy way to enabling a security check for the whole admin-route solely based on a htaccess-file.
You just have to create a folder named 'admin' (or what ever your admin-route is called) and put a file named .htaccess in there without any location or directory enclosement.
AuthName "secured area"
Since CakePHP always checks for existing files before envoking the url-rewrite the admin folder will be found and the htaccess will be executed. After being authenticated CakePHP finds out that the "file" is not present in the folder admin and envokes the url-rewriting as normal.
Did I miss something or does this work for everyone who just wants to enable a very simple security?