Difference between revisions of "Authentication"

From Dolibarr ERP CRM Wiki
Jump to navigation Jump to search
Visual
m (Import interlang links (links to translated versions of this page in other languages) from Multi Language Manager table.)
Tag: 2017 source edit
 
(10 intermediate revisions by the same user not shown)
Line 24: Line 24:
 
Process start when you call the page you want to see. For example index.php (htdocs/index.php). But this is not this file that ask for authentication. Each Dolibarr php page include at the beginning a file called main.inc.php and this file include a file called master.inc.php.
 
Process start when you call the page you want to see. For example index.php (htdocs/index.php). But this is not this file that ask for authentication. Each Dolibarr php page include at the beginning a file called main.inc.php and this file include a file called master.inc.php.
 
So we have:
 
So we have:
<source lang="php">
+
 
<mypage.php>
+
{{Template:CodeSampleForLoginProcess}}
    <main.inc.php>
 
      <master.inc.php>
 
        #1#
 
      </master.inc.php>
 
      #2#
 
      if (! isset($_SESSION["dol_login"]))
 
      {
 
        if (isset($_POST["username"]))
 
        {
 
          ...
 
          // if user and pass are ok, we set $login
 
          $login=
 
        }
 
        if (! $login)
 
        {  
 
  // We show login page
 
  include_once(DOL_DOCUMENT_ROOT."/lib/security.lib.php");
 
  dol_loginfunction($langs,$conf,$mysoc);
 
  exit;
 
        }
 
        ...
 
      }
 
    </main.inc.php>
 
  #3#
 
</mypage.php>
 
</source>
 
  
 
The #1# represents the loading of a lot of libraries that we will use later, but also initialize objects and variables containing the running PHP context (load configuration file, load language files and create an empty user not yet authenticated).
 
The #1# represents the loading of a lot of libraries that we will use later, but also initialize objects and variables containing the running PHP context (load configuration file, load language files and create an empty user not yet authenticated).
Line 57: Line 31:
 
The #2# represents the code for authentication: Program check if we are inside a logged session (this means the $_SESSION["dol_login"] exists). If not, we check if we receives data from a login and password form. During first call of page, this is not the case since user has not yet view the login form. So we continue and $login is still false, so we just output the login HTML form and we end the script.
 
The #2# represents the code for authentication: Program check if we are inside a logged session (this means the $_SESSION["dol_login"] exists). If not, we check if we receives data from a login and password form. During first call of page, this is not the case since user has not yet view the login form. So we continue and $login is still false, so we just output the login HTML form and we end the script.
  
After submission of login, the same page (so still index.php is called), we still go inside #1#, then #2# and now the $_POST["username"] is defined. So we check if user and pass are ok (check into database, LDAP, it depends on $dolibarr_main_authentication value in config file). If it's ok, the $login variable is set, so we don't show the form anymore and we set the $_SESSION["dol_login"] so next time we call a page, we never go inside the "if (! isset($_SESSION["dol_login"]))".
+
After submission of login, the same page (so still index.php is called), we still go inside #1#, then #2# and now the $_POST["username"] and $_POST['actionlogin'] are defined. So we check if user and pass are ok (check into database, LDAP, it depends on $dolibarr_main_authentication value in config file). If it's ok, the $login variable is set, so we don't show the form anymore and we set the $_SESSION["dol_login"] so next time we call a page, we never go inside the "if (! isset($_SESSION["dol_login"]))".
  
 
The #3# is to check business permissions and show the page. See [[Permissions En|Permissions]] page for more informations.
 
The #3# is to check business permissions and show the page. See [[Permissions En|Permissions]] page for more informations.
  
= The login modules =
+
= The authentication mode and the login modules =
 +
 
 +
Calling the checkLoginPassEntity to validate the couple user/password (or just the user for some cases) will call the function '''check_user_password_xxx''' of a login module. The login module called depends on the authentication mode defined into your '''conf/conf.php''' file.
  
The login modules are files that contains functions to check validity of a couple user/password.
+
The file used is named '''htdocs/core/login/functions_xxx.php''' with value '''xxx''' that match the value set in '''dolibarr_main_authentication''' in config file '''conf/conf.php'''.
There is one file by module so one file by function. Each file make a different kind of check.
 
* The file '''htdocs/core/login/functions_http.php''' checks validity of couple user/password using a HTTP Basic authentication.
 
* The file '''htdocs/core/login/functions_ldap.php''' checks validity of couple user/password into a LDAP annuary.
 
* The file '''htdocs/core/login/functions_dolibarr.php''' checks validity of a couple user/password into Dolibarr database.
 
  
Each file contains only a function called '''check_user_password_xxx''' but Dolibarr will use only one of them. The file used will be the file with value '''xxx''' that match value of '''dolibarr_main_authentication''' in config file '''conf/conf.php'''.
+
See [[Authentication,_SSO_and_SSL]] for a list of authentication mode (possible values for 'xxx' and specificity for them)
Dolibarr will run the only function the file contains by sending them as parameters only the user and password received from the post login form. Function return true if couple user/password is valid, false otherwise.
 

Latest revision as of 08:40, 17 January 2023

Return to developer
documentation index

File Doc dev.png





Introduction

This page describe how the Dolibarr authentication process works. You must be familiar with PHP sessions to understand correctly what happen.

Process

Process start when you call the page you want to see. For example index.php (htdocs/index.php). But this is not this file that ask for authentication. Each Dolibarr php page include at the beginning a file called main.inc.php and this file include a file called master.inc.php. So we have: 

 <mypage.php>
     <main.inc.php>
       <master.inc.php>
         #1#
       </master.inc.php>
       #2#
       if (!isset($_SESSION["dol_login"]))
       {
         // Set goontestloop to true if we are coming from a post of the login page ($_POST["username"] and $_POST["actionlogin"] is defined.
         // We may also set goontestloop to true for some other cases depending on the authentication mode (see next chapter)
         $goontestloop = ...  
         if ($goontestloop)
         {
           checkLoginPassEntity(username, password, ...);
           ...
           // if user and pass are ok, we set $login
           $login=
         }
         if (! $login)
         { 
	       // We show login page
	       include_once(DOL_DOCUMENT_ROOT."/lib/security.lib.php");
	       dol_loginfunction($langs,$conf,$mysoc);
	       exit;
         }
         ...
       }
     </main.inc.php>
   #3#
 </mypage.php>

The #1# represents the loading of a lot of libraries that we will use later, but also initialize objects and variables containing the running PHP context (load configuration file, load language files and create an empty user not yet authenticated).

The #2# represents the code for authentication: Program check if we are inside a logged session (this means the $_SESSION["dol_login"] exists). If not, we check if we receives data from a login and password form. During first call of page, this is not the case since user has not yet view the login form. So we continue and $login is still false, so we just output the login HTML form and we end the script.

After submission of login, the same page (so still index.php is called), we still go inside #1#, then #2# and now the $_POST["username"] and $_POST['actionlogin'] are defined. So we check if user and pass are ok (check into database, LDAP, it depends on $dolibarr_main_authentication value in config file). If it's ok, the $login variable is set, so we don't show the form anymore and we set the $_SESSION["dol_login"] so next time we call a page, we never go inside the "if (! isset($_SESSION["dol_login"]))".

The #3# is to check business permissions and show the page. See Permissions page for more informations.

The authentication mode and the login modules

Calling the checkLoginPassEntity to validate the couple user/password (or just the user for some cases) will call the function check_user_password_xxx of a login module. The login module called depends on the authentication mode defined into your conf/conf.php file.

The file used is named htdocs/core/login/functions_xxx.php with value xxx that match the value set in dolibarr_main_authentication in config file conf/conf.php.

See Authentication,_SSO_and_SSL for a list of authentication mode (possible values for 'xxx' and specificity for them)

Retrieved from "https://wiki.dolibarr.org/index.php?title=Authentication&oldid=55640"