Web developer and entrepreneur

Oct

16

Symfony HTTP Authentication Filter

Filed Under PHP, Security, Symfony - October 16th, 2006 11:50am

Every so often I need to password protect a web project so that only other developers or the client can access the site. I could build a user authentication system into the project itself, but that’d be overkill considering it won’t be used during the production life of the site. This leaves the classic old-school option of HTTP Authentication. This has it’s own issues to solve though: whilst it’s reasonably straightforward to add in .htaccess configured authentication on servers you’re familiar with, it’s somewhat harder to set up if you don’t know the path to your password file in advance.

The alternative is to implement HTTP Auth in your Symfony project itself. Thankfully Symfony’s filter architecture makes this as simple as editing three files.

First, write your authentication config into your app.yml file:

1
2
3
4
5

all:
  auth:
    realm:      Password Required
    username:   james
    password:   mypassword

Then create the filter in lib/httpAuthFilter.class.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

/**
 * HTTP Authentication filter for Symfony
 *
 * @author James McGlinn <james@mcglinn.org>
 * @version 1
 */
class httpAuthFilter extends sfFilter
{
  /**
   * Execute filter
   *
   * @param sfFilterChain $filterChain
   */
  public function execute ($filterChain)
  {
    // execute filter once
    if ($this->isFirstCall()) {
      if (!isset($_SERVER['PHP_AUTH_USER'])) {
        $this->sendHeadersAndExit();
      }
      if (!($_SERVER['PHP_AUTH_USER'] == sfConfig::get('app_auth_username') && $_SERVER['PHP_AUTH_PW'] == sfConfig::get('app_auth_password'))) {
        $this->sendHeadersAndExit();
      }
    }
    // execute next filter
    $filterChain->execute();
  }
 
  /**
   * Sends HTTP Auth headers and exits
   *
   * @return null
   */
  private function sendHeadersAndExit ()
  {
    header('WWW-Authenticate: Basic realm="' . sfConfig::get('app_auth_realm') . '"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
  }
}

Finally, configure the new filter in the application’s config/filters.yml file:

1
2

httpAuthFilter:
   class: httpAuthFilter

Clear your Symfony project cache and you’re done - every request for the application you protected will be filtered through your new HTTP Authentication filter.

One warning though: if you’re planning on using this to protect a site for real deployment, you might want to consider hashing the password used in the app.yml configuration file first. I’ll post an update another day describing how to do that, meanwhile if you need to refresh your memory on password hashing theory read my article on the PHP Security Consortium website.

Comments

4 Responses to “Symfony HTTP Authentication Filter”

  1. jp on June 20th, 2007 4:53 am

    great, thanks

  2. Paul A Houle on November 6th, 2007 1:52 pm

    This is too cool!

  3. Nico Krebs | mellowmessage on July 31st, 2009 9:35 pm

    Hi there,

    i would be great if you posted a version of this filter, that can be used to http-auth REST services. I would like to protect my REST API (which runs on an https server) with user credentials. is that possible with symfony filters?

    regards,
    nico

  4. James McGlinn on August 3rd, 2009 12:50 pm

    Nico: You can use this filter as-is for REST API authentication.

Leave a Reply