Migrate Authentication from AuthComponent to Plugin

Dear Cakers,

first of all I want to say it’s a pain in the ass migrating this thing with such a minimal documentation, it’s much more complicated than before.

I am using Basic Auth and the documentation about this is kept so minimal

I first realised, that the allowUnauthenticated method is not working… what a shame…

So my current problem is, that my project had a scope during auth, where I only filtered users, which have the field locked=0 - now I don’t know how to achieve this again, this was the old code:

// add http-basic-authentication with login-data stored in "Users"
        $this->loadComponent('Auth', [
            'authenticate' => [
                'Ldap' => [
                    'realm' => utf8_decode(Configure::read('AdminSettings.AppName')),
                    'fields' => ['username' => 'name', 'password' => 'password'],
                    'userModel' => 'Users',
                    'scope' => array('Users.locked' => 0, 'Users.dpa_approved' => 1)
                ],
            ],
            'checkAuthIn' => 'Controller.initialize',
            'storage' => 'Memory',
            'unauthorizedRedirect' => false,
            'authorize' => [
                'Controller' // isAuthorized method in Controllers
            ],
            'authError' => __('Access denied.')
        ]);

(It’s called Ldap because I wrote a custom Auth where, depending on another field; the auth is done via Ldap or via SQL database. I think I will remove this Ldap feature completely, because there is currently no documentation as it was in cakePHP 3 to achieve all that.)

You have seen Migration from the AuthComponent - 2.x to help with the migration process? And documentation about the built-in LDAP identifier, which might be useful?

As for incorporating your locked field into the decision, that would be done by specifying a custom finder on the ORM Resolver in your identifier setup.

Hey thank you for your answer.

Yeah I already checked the migration from… link and that was why I wrote, that the documentation is so minimal, because it’s missing any infos about HttpBasic migration, which is different, for example it doesn’t mention that the “allowUnauthenticated” not working for HttpBasic, but maybe it is only my bad knowledge, don’t know…

The LDAP identifier might be useful, I will try it.

The ORM Resolver is the solution to my problem I think, hope I understand it - it’s a bit hard for me to understand this without code examples.

I managed it after some time

Now the last thing what I didn’t find out:

Is it possible to use multiple identifiers and if yes, how can I find out which identifier authenticated my user?

From the first link I sent above:

If credentials are found, they are passed to a collection of identifiers where the user is located. For that reason authenticators take an IdentifierCollection as first constructor argument.

So yes, multiple identifiers can be used. How to find which identifier was successful is addressed here.