View Issue Details

IDProjectCategoryView StatusLast Update
0017872mantisbtauthenticationpublic2015-10-08 10:46
Reporterholger1980 Assigned To 
PriorityurgentSeverityblockReproducibilityalways
Status newResolutionopen 
Platformamd 64 bitOSDebianOS Version7
Product Version1.2.17 
Summary0017872: AUTH_BASIC fails
Description

Using Debian 7, Apache2 and MySQL (updated to the most recent stable).
We use AuthMySQL to protect our folder and set $_SERVER{'REMOTE_USER'), which works perfectly on projects like MediaWiki and other company wide used tools. However, Mantis keeps to be the only remainig tool not being able to use a central user management (SSO) concept.

Steps To Reproduce

Protecting our mantis folder through AuthMySQL and configured config_ing.php to use

--- authentication settings ---

$g_login_method = BASIC_AUTH;

Still, visiting the folder, it keeps displaying the default login page!

Additional Information

I've printed a debug message through the login_page.php to proove if HTTP_BASIC is set correctly (it displays true and '5' as enumeration).
I've also printed the 'REMOTE_USER' and there is 'holger' printed. So the pre-required step through AuthMySQL works. I've checked the /var/log/apache/error.log and other log files to make sure that there is everything working before mantis is requested to skip auth and use the REMOTE_USER.

However, it still fails.

I've set a user to the mantis database names holger - and it still fails.
I've set up a brand new environment from mantis 1.2.17 - fresh install, first configuration - again with AuthMySQL to the new folder - and the problem re-occured 100%. So it is absolutely reproducable.

TagsNo tags attached.

Activities

holger1980

holger1980

2014-12-06 01:11

reporter   ~0041984

I've again set up a brand new environment from mantis 1.2.18 - fresh install, first configuration - again with AuthMySQL to the new folder - and the problem re-occured 100%. I was curious if there was improvement through earlier reports, so obiviously there is not. Single-Sign-On stills seems to fail and be missing. So it is still reproducable.

andcoz

andcoz

2015-10-08 10:41

reporter  

mantisbt_basicauth.patch (1,359 bytes)   
diff -r -u mantisbt-1.2.19/core/authentication_api.php mantisbt-1.2.19_patched/core/authentication_api.php
--- mantisbt-1.2.19/core/authentication_api.php 2015-10-08 16:24:09.868054147 +0200
+++ mantisbt-1.2.19_patched/core/authentication_api.php 2015-01-26 00:00:30.000000000 +0100
@@ -224,14 +224,12 @@
 
        # check for anonymous login
        if( !user_is_anonymous( $t_user_id ) ) {
-                if ( BASIC_AUTH != $t_login_method ) {
-                       # anonymous login didn't work, so check the password
+               # anonymous login didn't work, so check the password
 
-                       if( !auth_does_password_match( $t_user_id, $p_password ) ) {
-                               user_increment_failed_login_count( $t_user_id );
-                               return false;
-                       }
-                }
+               if( !auth_does_password_match( $t_user_id, $p_password ) ) {
+                       user_increment_failed_login_count( $t_user_id );
+                       return false;
+               }
        }
 
        # ok, we're good to login now
@@ -325,7 +323,6 @@
 function auth_automatic_logon_bypass_form() {
        switch( config_get( 'login_method' ) ) {
                case HTTP_AUTH:
-               case BASIC_AUTH:
                        return true;
        }
        return false;
mantisbt_basicauth.patch (1,359 bytes)   
andcoz

andcoz

2015-10-08 10:45

reporter   ~0051614

I had the same problem on 1.2.19. I attached a simple patch that seems to solve the problem.

Note that it is not deeply tested. I am still evaluating side effects.

Issue History

Date Modified Username Field Change
2014-11-14 00:19 holger1980 New Issue
2014-12-06 01:11 holger1980 Note Added: 0041984
2015-10-08 10:41 andcoz File Added: mantisbt_basicauth.patch
2015-10-08 10:45 andcoz Note Added: 0051614