patch for authenticating users using url parameters

chird · Post by **chird** » Tue Jun 15, 2004 5:49 am

Hi,

This patch makes it possible to authenticate users directly from the query-string, instead of redirecting to the login-page.

That's very useful for including Cacti-graphs in other webpages, without exposing the graphs to the guest-user.

After applying the path, you can enter a URL like this:

http://cacti.mydomain.nl/graph_image.ph ... rectauth=1

to get a graph from cacti.

2 files need some extra code, include/auth.php and auth_login.php

include/auth.php:

Code: Select all

43c43
<       if ((isset($guest_account)) && (empty($_SESSION["sess_user_id"]))) {
---
>       if ((!isset($_REQUEST['directauth'])) && (isset($guest_account)) && (empty($_SESSION["sess_user_id"]))) {

auth_login.php

Code: Select all

26a27,36
> if (isset($_REQUEST['directauth']) && $_REQUEST['directauth'] == "1")
> {
>       $_POST["username"] = $_GET["username"];
>       $_POST["password"] = $_GET["password"];
>       $_POST["username"] = $_GET["username"];
>       if (isset($_GET["realm"]))
>               $_POST["realm"] = $_GET["realm"];
>       $_REQUEST["action"] = "login";
> }
> 
74a85,89
>               if (isset($_REQUEST['directauth']) && $_REQUEST['directauth']=="1")
>               {
>                       header("Location: ".$_SERVER['REQUEST_URI']);
>                       exit;
>               }

Maybe Ian has an opinion about whether this can be included (in this or some other form) in the default code?

Regards,

Geert van der Ploeg

Mike556 · Post by **Mike556** » Thu Jun 17, 2004 1:28 pm

Hi,

Thanks for the idea, but do you have any advice for someone new to PHP on where and how to add that code to the files mentioned?

~Mike Rizzo

chird · Post by **chird** » Fri Jun 18, 2004 2:16 am

The numbers above the code-lines are linenumbers:

In include/auth.php, change the current line 43 (indicated with '<') to my version (indicated with '>')

In auth_login.php, add, after the current line 26, 'my' line 27-36, indicated with '>'.
And add, after the original line 74 (which is now 84, due to the above change which inserted 11 lines), lines 85-89.

I admit that the format of this isn't very clear...
I should have posted a 'normal' diff which can be applied using the patch-program....

Regards,

Geert

ostuder · Post by **ostuder** » Tue Feb 06, 2007 8:38 am

Hi,

I have change the both file with a good result with the diff command.

But I can not use it if I try to a connection like this URL:

http://localhost/cacti/graph_view.php?a ... rectauth=1

I receive the following message from the login page:

Invalid User Name/Password Please Retype:

Cacti version used is : 0.8.6h
Some help please,
regards
/Olivier

AnAmoeba · Post by **AnAmoeba** » Sat Feb 10, 2007 12:06 am

I ran into the same problem, and managed to hack a fix for my 0.8.6j version. It appears that over the years, the variable names were changed.

Use this following code block in auth_login.php instead of the one above:

if (isset($_REQUEST['directauth']) && $_REQUEST['directauth'] == "1")
{
$_POST["username"] = $_GET["username"];
$_POST["password"] = $_GET["password"];
$_POST["login_username"] = $_GET["username"];
$_POST["login_password"] = $_GET["password"];
if (isset($_GET["realm"]))
$_POST["realm"] = $_GET["realm"];
$_REQUEST["action"] = "login";
}

Chris

Post by **rony** » Sat Feb 10, 2007 2:12 pm

Passing passwords on the URL will not be considered.

AnAmoeba · Post by **AnAmoeba** » Sun Feb 11, 2007 6:51 pm

rony wrote:Passing passwords on the URL will not be considered.

From a security perspective, this is absolutely on the money.

However, from a useability perspective - what would you recommend when a user is already authenticated into a Portal solution (like SharePoint) and needs to pull up a dashboard with a few graphs?

Chris

Post by **TheWitness** » Sun Feb 11, 2007 8:30 pm

I agree with Tony. It's so bad, I don't even want to think about it. ... edited a lot out ... I know you probably meant well though.

TheWitness

raphtacool · Post by **raphtacool** » Mon Feb 12, 2007 11:51 am

Hi,

I have installed this plugin but something doesn't work.
Authentication perfectly works but the browser returns me the default graph screen.
Nevertheless the login options in user management section is set to : "show the page that user pointed their browser to"

Exemple of my URL : http://localhost/graph_view.php?action= ... rectauth=1

i'm using Cacti v 0.8.6i

Regards,

Raf

cricalix · Post by **cricalix** » Fri Feb 16, 2007 3:05 am

AnAmoeba wrote:
rony wrote:Passing passwords on the URL will not be considered.
From a security perspective, this is absolutely on the money.

However, from a useability perspective - what would you recommend when a user is already authenticated into a Portal solution (like SharePoint) and needs to pull up a dashboard with a few graphs?

Chris

Use one-time keys. When the user authenticates to the portal, generate a key for them. Extend and update the user table in cacti to support that key. Write the generated key into the cacti user table for the appropriate user. Call Cacti with the key on the URL, and expire the key when they log out (or after a certain amount of time).

Alternately, use the export mechanism of Cacti and put the graphs behind the portal solution itself.

ErikCarlson.Cerberus · Wed Jun 23, 2010 4:46 am

We would like to use one-time keys to authenticate as suggested. We've made changes to the cacti database for our portal to insert the keys, but I'm not sure how best to modify cacti to use these keys.

The last post suggested that this may be supported officially, or at the very least someone else has done it.

If anyone can point me at a how to or other documentation I would really appreciate it.

Thank you in advance.

Erik

Post by **TheWitness** » Wed Jun 23, 2010 6:28 am

Why not use a combination of Web Basic and some SSO solution? That makes this a breeze.

TheWitness

ErikCarlson.Cerberus · Wed Jun 23, 2010 7:59 am

Thanks for your reply, but I am afraid I'm not sure what you are driving at. if you wouldn't mind spelling it out a bit more I would appreciate it.

We've got an existing portal which allows customers to view services that they have with us amongst other things. They have to authenticate to get into our portal.

We also have Cacti running on linux. We have automated the setup of new cacti accounts for every new service and we email the customers cacti details automatically once the service is setup but we want to avoid them having to remember two sets of details. We would like them to be able to log in to our portal view their services and then be able to follow a link from any service to the cacti graph for that service without having to login again.

I'm just trying to avoid reinventing the wheel here. Our portal is quite capable of inserting a one-off key into the sql database on the cacti machine, then removing it after use, but I don't want to go hacking around in cacti if there's already an accepted way of doing this. I'm struggling to find any documentation.

I know that SSO = Single Sign On, but I've not heard of Web Basic. I'm sure I'm missing something really obvious.

Thank you in advance for your help.

Erik

phalek · Post by **phalek** » Wed Jun 23, 2010 8:39 am

If it's only the graph you need, you could use something like the nmidWebService plugin to retrieve the graph and display it right in your portal

http://forums.cacti.net/viewtopic.php?t=32929

Cacti

patch for authenticating users using url parameters

patch for authenticating users using url parameters

How to implement code

Does not work correctly

8.6j Fix

Authentication

Problem with page that user pointed their browser to

Re: Authentication

using one-time keys to authenticate

Who is online