Thursday, July 05, 2007

Experience with Mantis; HTTP Basic Authentication, Single sign-on with Subversion

I recently downloaded and installed Mantis 1.1.0a3 (Linux platform) and configured HTTP server (Apache) to use basic authentication for accessing mantis directory. Inside mantis, as admin user, created one user with MD5 login.

To support single sign-on with subversion, HTTP Authentication for mantis login is one possibility. Below is the list of desired/expected results from mantis with HTTP Basic authentication.

There may be an overhead with HTTP Authentication, as each request for resource from server will be challenged by the HTTP server and the browser will have to provide the necessary authentication credentials each time before retrieving this resource.

Requirements:

  • To access mantis directory, the user (username) will be authenticated against a password file by the web-server (HTTP Basic Authentication).
  • Once authenticated, get the username that requested for mantis resources (files).
  • If the user is already created inside mantis, just login with this username without checking against stored password.
  • If the user does not exist, create a new user with this username, and login with the new username. Ignore the password.
  • Use some other mechanism to change the common HTTP Basic password.

Mantis provides two configuration options to support HTTP Basic Authentication, BASIC_AUTH & HTTP_AUTH.

1. BASIC_AUTH: Inside config_inc.php file, set $g_login_method to BASIC_AUTH. If the Auth Forms in the browser is cleared, trying to access mantis will pop up the HTTP login menu. Enter the username (an account for this username already exists in mantis) and password as defined inside the HTTP password file. If this login is successful, the mantis page will be shown, but in this case it still shows the default mantis login page instead of directly going to the requested page for the logged-in user. Entering the username of any existing valid account in this login page will take the user to the requested page with original user logged-in.

2. HTTP_AUTH: Change $g_login_method to HTTP_AUTH. For an existing user account inside mantis, once the HTTP server authenticates the user, the user will be logged-in and this will take the user to the correct page, skipping the default mantis login page. But the user password is verified against the password stored in the mantis database; this seems to work, if the password is stored as plain text. This is not the desired behavior. Once the user is authenticated by the HTTP server, mantis does not need to do any more password check. With HTTP_AUTH, mantis directly generates the HTTP login menu in case of a login failure. For non-existing mantis users, it gives an Invalid email error whereas the expected behavior is to create an account for this user in mantis.

To make BASIC_AUTH work as desired, make the following changes:

login_page.php


Add the following lines after line 40,

if ( BASIC_AUTH == config_get( 'login_method' ) ) {
$t_uri = "login.php";
print_header_redirect( $t_uri );
exit;
}

login.php


Towards the end of this file, for auth_attempt_login failure case, add the following,

// avoid a continuous loop, in case of failure
if ( BASIC_AUTH == config_get( 'login_method' ) ) {
auth_http_prompt();
exit;
}

core/authentication_api.php


Add the following inside function auth_does_password_match after LDAP check,

//if BASIC_AUTH, just ignore the password
if ( BASIC_AUTH == $t_configured_login_method ) {
return true;
}

Inside function auth_attempt_login, modify lines after config_get( 'login_method' ) as,

if ( BASIC_AUTH == $t_login_method ) {
# attempt to create the user if using BASIC_AUTH
if ( false === $t_user_id ) {
$t_cookie_string = user_create( $p_username, $p_password );
}
................
}

To avoid Invalid email error for new users, add the following configurations inside config_inc.php,

config_inc.php


       $g_enable_email_notification    = OFF;
$g_validate_email = OFF;

With the above modifications my requirements are met and mantis seems to work as expected. I am not sure whether these modifications will affect any other functionalities of mantis. If you face any problems, please give your comments here.