[英]Luracast Restler Multiple Authentication Classes Not Allowing Access
I have two authentication classes defined. 我定义了两个认证类。
In my index.php I have the following defined 在我的index.php中,我定义了以下内容
$r = new Restler();
$r->addAuthenticationClass('APIKeyAuth');
$r->addAuthenticationClass('OAUTH2Server');
I then protect one of the rest methods for APIKeyAuth 然后,我保护APIKeyAuth的其余方法之一
/**
* @access protected
* @class APIKeyAuth{@requires apikey}
*/
public function .......etc
If I debug it , it goes through the first step and $authObj (see code below from restler.php) will be APIKeyAuth. 如果我对其进行调试,则将通过第一步,并且$ authObj(请参阅restler.php中的以下代码)将为APIKeyAuth。 It checks __isAllowed and returns true ... which is good. 它检查__isAllowed并返回true ...这很好。
It then however goes through OAUTH2Server (which in my opinion it shouldn't as the rest method has been decorated to use APIKeyAuth. 然后,它通过OAUTH2Server(我认为不应这样做,因为其余方法已被修饰为使用APIKeyAuth。
So it goes through and __isAllowed in OAUTH2Server is false so then the user will get a Unauthorzied response. 如此一来,OAUTH2Server中的__isAllowed为false,因此用户将获得未授权的响应。
foreach ($this->authClasses as $authClass) {
$authObj = Scope::get($authClass);
if (!method_exists($authObj,
Defaults::$authenticationMethod)
) {
throw new RestException (
500, 'Authentication Class ' .
'should implement iAuthenticate');
} elseif (
!$authObj->{Defaults::$authenticationMethod}()
) {
throw new RestException(401);
}
}
Do I need to alter the OAUTH2 Server to check if its using an API Key and add logic ? 我是否需要更改OAUTH2服务器以检查其是否使用API密钥并添加逻辑? (seems wrong approach). (似乎是错误的方法)。
Restler upto RC5 handles authentication classes serially, meaning that all the authentication classes must return true to go through the protected api call Restler直至RC5依次处理身份验证类,这意味着所有身份验证类必须返回true才能通过受保护的api调用
Since RC6 this has changed to parallel, meaning that any one of the authentication class can allow access to the protected api 从RC6开始,这已更改为并行,这意味着身份验证类中的任何一个都可以允许访问受保护的api
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.