Difference between revisions of "Authentication"

From Dolibarr ERP CRM Wiki
Jump to navigation Jump to search
Visual
Tag: 2017 source edit
 
(29 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
<!-- BEGIN origin interlang links -->
 +
<!-- You can edit this section but do NOT remove these comments
 +
    Links below will be automatically replicated on translated pages by PolyglotBot -->
 +
[[fr:Authentification]]
 +
[[es:Autentificación]]
 +
[[zh:认证]]
 +
<!-- END interlang links -->
 +
 +
[[Category:Core]]
 
{{TemplateDocDevEn}}
 
{{TemplateDocDevEn}}
{{ToTranslate}}
 
  
== Introduction ==
 
  
Le système d'authentification de Dolibarr devient relativement complexe, et un bug peut être particulièrement difficile à trouver si l'on ne connaît par le processus d'authentification.
 
Cette page présente une découpe du processus, qui permet de suivre la procédure et d'intervenir là où il le faut.
 
  
== Processus ==
 
  
Le processus démarre par l'appel de la page que l'on souhaite voir. Par exemple, la page d'accueil htdocs/index.php. Mais ce n'est pas ce fichier assure la demande d'authentification. En fait toute page de Dolibarr inclut un fichier pre.inc.php qui lui même inclut  le fichier main.php qui inclut master.php.
 
Nous avons donc:
 
<pre>
 
<index.php>
 
  <pre.inc.php>
 
    <main.inc.php>
 
      <master.inc.php>
 
        #1#
 
      </master.inc.php>
 
      #2#
 
    </main.inc.php>
 
  </pre.inc.php>
 
</index.php>
 
</pre>
 
  
Le #1# représente le chargement de tout un tas de librairie que nous utiliserons par la suite, ainsi que l'initialisation du contexte d'exécution du code PHP (langue, configuration, utilisateur vierge).
 
  
Le #2# représente l'exécution de code propre à l'authentification: La verification que l'on ait dans une session loguée et si ce n'est pas le cas l'affichage de l'écran de login. C'est la que l'objet utilisateur est initialisé:
 
  
L'exécution du login, elle, se présente comme suit:
 
  
$authmode=array('http','dolibarr');
+
= Introduction =
if (isset($dolibarr_auto_user)) $authmode=array('auto');
+
This page describe how the Dolibarr authentication process works. You must be familiar with PHP sessions to understand correctly what happen.
// Si la demande du login a déjà eu lieu, on le récupère depuis la session
+
 
// sinon appel du module qui réalise sa demande.
+
= Process =
// A l'issu de cette phase, la variable $login sera définie.
+
 
$login='';
+
Process start when you call the page you want to see. For example index.php (htdocs/index.php). But this is not this file that ask for authentication. Each Dolibarr php page include at the beginning a file called main.inc.php and this file include a file called master.inc.php.
if (! session_id() || ! isset($_SESSION["dol_user"]))
+
So we have:
{
+
 
  # Procédure de login. Affiche page login #
+
{{Template:CodeSampleForLoginProcess}}
}
+
 
else
+
The #1# represents the loading of a lot of libraries that we will use later, but also initialize objects and variables containing the running PHP context (load configuration file, load language files and create an empty user not yet authenticated).
{
+
 
    // On est déjà en session
+
The #2# represents the code for authentication: Program check if we are inside a logged session (this means the $_SESSION["dol_login"] exists). If not, we check if we receives data from a login and password form. During first call of page, this is not the case since user has not yet view the login form. So we continue and $login is still false, so we just output the login HTML form and we end the script.
    $login=$_SESSION["dol_user"];
 
}
 
// Charge l'objet user depuis son login
 
$result=$user->fetch($login);
 
if ($result <= 0)
 
{
 
    dolibarr_print_error($db,$langs->trans("ErrorCantLoadUserFromDolibarrDatabase"));
 
    exit;
 
}
 
// Est-ce une nouvelle session
 
if (! isset($_SESSION["dol_user"]))
 
{
 
    // Nouvelle session pour ce login
 
    dolibarr_syslog("New session in DOLSESSID_".$dolibarr_main_db_name.": ".session_id());
 
    $user->update_last_login_date();
 
    $_SESSION["dol_user"]=$user;
 
}
 
  
 +
After submission of login, the same page (so still index.php is called), we still go inside #1#, then #2# and now the $_POST["username"] and $_POST['actionlogin'] are defined. So we check if user and pass are ok (check into database, LDAP, it depends on $dolibarr_main_authentication value in config file). If it's ok, the $login variable is set, so we don't show the form anymore and we set the $_SESSION["dol_login"] so next time we call a page, we never go inside the "if (! isset($_SESSION["dol_login"]))".
  
Mais analysons plus en détail le code d'appel de la méthode de vérification du couple user/password (il y a plusieurs méthodes disponibles, donc plusieurs appels possibles et qui devraient être mutuellement exclusifs).
+
The #3# is to check business permissions and show the page. See [[Permissions En|Permissions]] page for more informations.
  
    session_name("DOLSESSID_".$dolibarr_main_db_name);
+
= The authentication mode and the login modules =
    session_start();
 
    // Si on rentre ici suite a soumission d'un couple user/password alors
 
    // Selon la valeur dolibarr_main_authentication, on appelle la fonction
 
    // dans le bon fichier qui verifie si un couple user/mot de passe est correcte
 
    // Sinon, on affiche la page de login
 
  
== Les modules de login ==
+
Calling the checkLoginPassEntity to validate the couple user/password (or just the user for some cases) will call the function '''check_user_password_xxx''' of a login module. The login module called depends on the authentication mode defined into your '''conf/conf.php''' file.
  
Les modules de login sont les fichiers qui contiennent les fonctions qui controlent la validite d'un couple user/password.
+
The file used is named '''htdocs/core/login/functions_xxx.php''' with value '''xxx''' that match the value set in '''dolibarr_main_authentication''' in config file '''conf/conf.php'''.
Il y a un fichier par module. Chaque fichier assure un type de controle différent.
 
* Le fichier '''htdocs/include/login/functions_http.php''' controle la validite du couple user/mot de passe par une authentification de type http Basic.
 
* Le fichier '''htdocs/include/login/functions_ldap.php''' verifie la validite d'un couple user/mot de passe dans un annuaire LDAP.
 
* Le fichier '''htdocs/include/login/functions_dolibarr.php''' veririe la validite d'un couple user/mot de passe dans la base de donnee Dolibarr.
 
  
Chaque fichier contient en fait uniquement une fonction '''check_user_password_xxx''' mais Dolibarr ne va en utiliser qu'un. Ce sera celui dont la valeur '''xxx''' correspond a la valeur de la variable '''dolibarr_main_authentication'''.
+
See [[Authentication,_SSO_and_SSL]] for a list of authentication mode (possible values for 'xxx' and specificity for them)
Dans ce fichier, Dolibarr sollicite la seule fonction qui s'y trouve en envoyant comme parametres le user et mot de passe.La fonction renvoie vrai si le couple est valide.
 

Latest revision as of 08:40, 17 January 2023

Return to developer
documentation index

File Doc dev.png





Introduction

This page describe how the Dolibarr authentication process works. You must be familiar with PHP sessions to understand correctly what happen.

Process

Process start when you call the page you want to see. For example index.php (htdocs/index.php). But this is not this file that ask for authentication. Each Dolibarr php page include at the beginning a file called main.inc.php and this file include a file called master.inc.php. So we have: 

 <mypage.php>
     <main.inc.php>
       <master.inc.php>
         #1#
       </master.inc.php>
       #2#
       if (!isset($_SESSION["dol_login"]))
       {
         // Set goontestloop to true if we are coming from a post of the login page ($_POST["username"] and $_POST["actionlogin"] is defined.
         // We may also set goontestloop to true for some other cases depending on the authentication mode (see next chapter)
         $goontestloop = ...  
         if ($goontestloop)
         {
           checkLoginPassEntity(username, password, ...);
           ...
           // if user and pass are ok, we set $login
           $login=
         }
         if (! $login)
         { 
	       // We show login page
	       include_once(DOL_DOCUMENT_ROOT."/lib/security.lib.php");
	       dol_loginfunction($langs,$conf,$mysoc);
	       exit;
         }
         ...
       }
     </main.inc.php>
   #3#
 </mypage.php>

The #1# represents the loading of a lot of libraries that we will use later, but also initialize objects and variables containing the running PHP context (load configuration file, load language files and create an empty user not yet authenticated).

The #2# represents the code for authentication: Program check if we are inside a logged session (this means the $_SESSION["dol_login"] exists). If not, we check if we receives data from a login and password form. During first call of page, this is not the case since user has not yet view the login form. So we continue and $login is still false, so we just output the login HTML form and we end the script.

After submission of login, the same page (so still index.php is called), we still go inside #1#, then #2# and now the $_POST["username"] and $_POST['actionlogin'] are defined. So we check if user and pass are ok (check into database, LDAP, it depends on $dolibarr_main_authentication value in config file). If it's ok, the $login variable is set, so we don't show the form anymore and we set the $_SESSION["dol_login"] so next time we call a page, we never go inside the "if (! isset($_SESSION["dol_login"]))".

The #3# is to check business permissions and show the page. See Permissions page for more informations.

The authentication mode and the login modules

Calling the checkLoginPassEntity to validate the couple user/password (or just the user for some cases) will call the function check_user_password_xxx of a login module. The login module called depends on the authentication mode defined into your conf/conf.php file.

The file used is named htdocs/core/login/functions_xxx.php with value xxx that match the value set in dolibarr_main_authentication in config file conf/conf.php.

See Authentication,_SSO_and_SSL for a list of authentication mode (possible values for 'xxx' and specificity for them)

Retrieved from "https://wiki.dolibarr.org/index.php?title=Authentication&oldid=55640"