From f624cd6bd5521847d4ae6e75cc525acdc410c7ec Mon Sep 17 00:00:00 2001 From: mjansen Date: Wed, 17 Dec 2025 11:51:35 +0100 Subject: [PATCH 1/3] ApacheAuth: Add missing PHP constant in SSO endpoint --- sso/index.php | 1 + 1 file changed, 1 insertion(+) diff --git a/sso/index.php b/sso/index.php index f0f7eb02344e..bef3bda05966 100644 --- a/sso/index.php +++ b/sso/index.php @@ -21,6 +21,7 @@ $_COOKIE["ilClientId"] = $_GET["client_id"]; } +define('IL_CERT_SSO', true); define('IL_COOKIE_PATH', $cookie_path); include_once './Services/Context/classes/class.ilContext.php'; From fa77d0c814b2fb3b29b549df40c021cda535b5ad Mon Sep 17 00:00:00 2001 From: mjansen Date: Wed, 17 Dec 2025 11:59:59 +0100 Subject: [PATCH 2/3] ApacheAuth: Ignore `force_login` command This commit suggests ignoring the `force_login` command in the `tryAuthenticationOnLoginPage` function. If the public area is **enabled**, and ILIAS detects that the user has **no valid ILIAS session and access** to the requested resource, an HTTP redirect to the login view with a `cmd=force_login` query parameter will be initiated. This currently leads to a problem where the automatically initiated "Apache Authentication" Single Sign-On will **not** be triggered, even if configured this way. Effect: With this change, requesting the login page with an **enabled** "Apache Authentication" will only be possible **without** triggering the automatically initiated Single Sign-On, if `passed_sso=1` is given in the query parameters (no change was required to achieve this behaviour). --- .../Frontend/class.ilAuthFrontendCredentialsApache.php | 9 --------- 1 file changed, 9 deletions(-) diff --git a/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php b/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php index 7b2acdf6e9d4..f891e9dbc7e8 100644 --- a/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php +++ b/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php @@ -50,15 +50,6 @@ public function __construct(ServerRequestInterface $httpRequest, ilCtrlInterface */ public function tryAuthenticationOnLoginPage(): void { - $cmd = (string) ($this->httpRequest->getQueryParams()['cmd'] ?? ''); - if ('' === $cmd) { - $cmd = (string) ($this->httpRequest->getParsedBody()['cmd'] ?? ''); - } - - if ('force_login' === $cmd) { - return; - } - if (!$this->getSettings()->get('apache_enable_auth', '0')) { return; } From 2c453b37deafe900472022a6de4cecfda11a55c6 Mon Sep 17 00:00:00 2001 From: mjansen Date: Fri, 2 Jan 2026 15:12:43 +0100 Subject: [PATCH 3/3] ApacheAuth: Fix losing "target" parameter during SSO on the login page --- .../class.ilAuthFrontendCredentialsApache.php | 81 ++++++++++--------- Services/Init/classes/class.ilStartUpGUI.php | 4 +- 2 files changed, 46 insertions(+), 39 deletions(-) diff --git a/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php b/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php index f891e9dbc7e8..06013398919b 100644 --- a/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php +++ b/Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentialsApache.php @@ -18,27 +18,23 @@ declare(strict_types=1); -use Psr\Http\Message\ServerRequestInterface; - -/** - * Description of class class - * - * @author Stefan Meyer - * @author Michael Jansen - * - */ class ilAuthFrontendCredentialsApache extends ilAuthFrontendCredentials { - private ServerRequestInterface $httpRequest; - private ilCtrlInterface $ctrl; - private ilSetting $settings; - private ilLogger $logger; - - public function __construct(ServerRequestInterface $httpRequest, ilCtrlInterface $ctrl) - { + private readonly \ILIAS\HTTP\GlobalHttpState $http; + private readonly \ILIAS\Refinery\Factory $refinery; + private readonly ilCtrlInterface $ctrl; + private readonly ilSetting $settings; + private readonly ilLogger $logger; + + public function __construct( + \ILIAS\HTTP\GlobalHttpState $http, + \ILIAS\Refinery\Factory $refinery, + ilCtrlInterface $ctrl + ) { global $DIC; $this->logger = $DIC->logger()->auth(); - $this->httpRequest = $httpRequest; + $this->http = $http; + $this->refinery = $refinery; $this->ctrl = $ctrl; $this->settings = new ilSetting('apache_auth'); parent::__construct(); @@ -61,27 +57,31 @@ public function tryAuthenticationOnLoginPage(): void if ( (defined('IL_CERT_SSO') && (int) IL_CERT_SSO === 1) || !ilContext::supportsRedirects() || - isset($this->httpRequest->getQueryParams()['passed_sso']) + $this->http->wrapper()->query()->has('passed_sso') ) { return; } - $path = (string) ($this->httpRequest->getServerParams()['REQUEST_URI'] ?? ''); - if (strpos($path, '/') === 0) { - $path = substr($path, 1); + $url = (string) ($this->http->request()->getServerParams()['REQUEST_URI'] ?? ''); + if (str_starts_with($url, '/')) { + $url = substr($url, 1); } - if (strpos($path, 'http') !== 0) { + if (!str_starts_with($url, 'http')) { $parts = parse_url(ILIAS_HTTP_PATH); - $path = $parts['scheme'] . '://' . $parts['host'] . '/' . $path; + $url = $parts['scheme'] . '://' . $parts['host'] . '/' . $url; + } + + $uri = new \ILIAS\Data\URI($url); + // We assume that the current script is always "login.php" if the "target" query parameter is set on the login page. + if ($this->http->wrapper()->query()->has('target')) { + $uri = $uri->withPath(str_replace('login.php', 'goto.php', $uri->getPath())); } $this->ctrl->redirectToURL( ilUtil::getHtmlPath( './sso/index.php?force_mode_apache=1&' . - 'r=' . urlencode($path) . - '&cookie_path=' . urlencode(IL_COOKIE_PATH) . - '&ilias_path=' . urlencode(ILIAS_HTTP_PATH) + 'r=' . urlencode($this->refinery->uri()->toString()->transform($uri)) ) ); } @@ -93,15 +93,15 @@ protected function getSettings(): ilSetting public function initFromRequest(): void { - $mappingFieldName = $this->getSettings()->get('apache_auth_username_direct_mapping_fieldname', ''); + $mapping_field_name = $this->getSettings()->get('apache_auth_username_direct_mapping_fieldname', ''); - $this->logger->dump($this->httpRequest->getServerParams(), ilLogLevel::DEBUG); - $this->logger->debug($mappingFieldName); + $this->logger->dump($this->http->request()->getServerParams(), ilLogLevel::DEBUG); + $this->logger->debug($mapping_field_name); switch ($this->getSettings()->get('apache_auth_username_config_type')) { case ilAuthProviderApache::APACHE_AUTH_TYPE_DIRECT_MAPPING: - if (isset($this->httpRequest->getServerParams()[$mappingFieldName])) { - $this->setUsername($this->httpRequest->getServerParams()[$mappingFieldName]); + if (isset($this->http->request()->getServerParams()[$mapping_field_name])) { + $this->setUsername($this->http->request()->getServerParams()[$mapping_field_name]); } break; @@ -113,26 +113,33 @@ public function initFromRequest(): void public function hasValidTargetUrl(): bool { - $targetUrl = trim((string) ($this->httpRequest->getQueryParams()['r'] ?? '')); - if ($targetUrl === '') { + $target_url = trim( + $this->http->wrapper()->query()->retrieve('r', $this->refinery->byTrying([ + $this->refinery->kindlyTo()->string(), + $this->refinery->always(''), + ])) + ); + if ($target_url === '') { return false; } - $validDomains = []; + $valid_hosts = []; $path = ILIAS_DATA_DIR . '/' . CLIENT_ID . '/apache_auth_allowed_domains.txt'; if (file_exists($path) && is_readable($path)) { foreach (file($path) as $line) { if (trim($line)) { - $validDomains[] = trim($line); + $valid_hosts[] = trim($line); } } } - return (new ilWhiteListUrlValidator($targetUrl, $validDomains))->isValid(); + return (new ilWhiteListUrlValidator($target_url, $valid_hosts))->isValid(); } public function getTargetUrl(): string { - return ilUtil::appendUrlParameterString(trim($this->httpRequest->getQueryParams()['r']), 'passed_sso=1'); + $target_url = trim($this->http->wrapper()->query()->retrieve('r', $this->refinery->kindlyTo()->string())); + + return ilUtil::appendUrlParameterString($target_url, 'passed_sso=1'); } } diff --git a/Services/Init/classes/class.ilStartUpGUI.php b/Services/Init/classes/class.ilStartUpGUI.php index f59d48676252..513f04d77eef 100755 --- a/Services/Init/classes/class.ilStartUpGUI.php +++ b/Services/Init/classes/class.ilStartUpGUI.php @@ -262,7 +262,7 @@ private function showLoginPage(ILIAS\UI\Component\Input\Container\Form\Form $for $credentials->setPassword($soapPw); $credentials->tryAuthenticationOnLoginPage(); - $frontend = new ilAuthFrontendCredentialsApache($this->httpRequest, $this->ctrl); + $frontend = new ilAuthFrontendCredentialsApache($this->http, $this->refinery, $this->ctrl); $frontend->tryAuthenticationOnLoginPage(); $tpl = self::initStartUpTemplate('tpl.login.html'); @@ -688,7 +688,7 @@ private function doApacheAuthentication(): void { $this->getLogger()->debug('Trying apache authentication'); - $credentials = new ilAuthFrontendCredentialsApache($this->httpRequest, $this->ctrl); + $credentials = new ilAuthFrontendCredentialsApache($this->http, $this->refinery, $this->ctrl); $credentials->initFromRequest(); $provider_factory = new ilAuthProviderFactory();