Title: HTTP Authentication Author: Daniel Westermann-Clark Published: 2005 年 3 月 10 日 Last modified: 2024 年 4 月 24 日 --- 搜尋外掛 這個外掛**並未在最新的 3 個 WordPress 主要版本上進行測試**。開發者可能不再對這個 外掛進行維護或提供技術支援,並可能會與更新版本的 WordPress 產生使用上的相容性問題。 ![](https://s.w.org/plugins/geopattern-icon/http-authentication.svg) # HTTP Authentication 由 [Daniel Westermann-Clark](https://profiles.wordpress.org/dwc/) 開發 [下載](https://downloads.wordpress.org/plugin/http-authentication.4.6.zip) * [詳細資料](https://tw.wordpress.org/plugins/http-authentication/#description) * [使用者評論](https://tw.wordpress.org/plugins/http-authentication/#reviews) * [安裝方式](https://tw.wordpress.org/plugins/http-authentication/#installation) * [開發資訊](https://tw.wordpress.org/plugins/http-authentication/#developers) [技術支援](https://wordpress.org/support/plugin/http-authentication/) ## 外掛說明 The HTTP Authentication plugin allows you to use existing means of authenticating people to WordPress. This includes Apache’s basic HTTP authentication module, [Shibboleth](http://shibboleth.internet2.edu/), and many others. To follow updates to this plugin, visit: https://danieltwc.com/ For help with this version, visit: https://danieltwc.com/2011/http-authentication-4-0/ ## 螢幕擷圖 * [[ * Plugin options, allowing WordPress authentication * [[ * WordPress login form with external authentication link ## 安裝方式 1. Login as an existing user, such as admin. 2. Upload the `http-authentication` folder to your plugins folder, usually `wp-content/ plugins`. (Or simply via the built-in installer.) 3. Activate the plugin on the Plugins screen. 4. Add one or more users to WordPress, specifying the external username for the “Username” field. Also be sure to set the role for each user. 5. Logout. 6. Protect `wp-login.php` and `wp-admin` using your external authentication (using, for example, `.htaccess` files). 7. Try logging in as one of the users added in step 4. ## 常見問題集 ### What authentication mechanisms can I use? Any authentication mechanism which sets the `REMOTE_USER` (or `REDIRECT_REMOTE_USER`, in the case of ScriptAlias’d PHP-as-CGI) environment variable can be used in conjunction with this plugin. Examples include Apache’s `mod_auth` and `mod_auth_ldap`. ### How should I set up external authentication? This depends on your hosting environment and your means of authentication. Many Apache installations allow configuration of authentication via `.htaccess` files, while some do not. Try adding the following to your blog’s top-level `.htaccess` file: AuthName “WordPress” AuthType Basic AuthUserFile /path/to/passwords Require user dwc (You may also want to protect your `xmlrpc.php` file, which uses separate authentication code.) Then, create another `.htaccess` file in your `wp-admin` directory with the following contents: AuthName “WordPress” AuthType Basic AuthUserFile /path/to/passwords Require user dwc In both files, be sure to set `/path/to/passwords` to the location of your password file. For more information on creating this file, see below. ### Where can I find more information on configuring Apache authentication? See Apache’s HOWTO: [Authentication, Authorization, and Access Control](http://httpd.apache.org/docs/howto/auth.html). ### How does this plugin authenticate users? This plugin doesn’t actually authenticate users. It simply feeds WordPress the name of a user who has successfully authenticated through Apache. To determine the username, this plugin uses the `REMOTE_USER` or the `REDIRECT_REMOTE_USER` environment variable, which is set by many Apache authentication modules. If someone can find a way to spoof this value, this plugin is not guaranteed to be secure. By default, this plugin generates a random password each time you create a user or edit an existing user’s profile. However, since this plugin requires an external authentication mechanism, this password is not requested by WordPress. Generating a random password helps protect accounts, preventing one authorized user from pretending to be another. ### If I disable this plugin, how will I login? Because this plugin generates a random password when you create a new user or edit an existing user’s profile, you will most likely have to reset each user’s password if you disable this plugin. WordPress provides a link for requesting a new password on the login screen. Also, you should leave the `admin` user as a fallback, i.e. create a new account to use with this plugin. As long as you don’t edit the `admin` profile, WordPress will store the password set when you installed WordPress. In the worst case scenario, you may have to use phpMyAdmin or the MySQL command line to [reset a user’s password](https://codex.wordpress.org/Resetting_Your_Password). ### Can I configure the plugin to support standard WordPress logins? Yes. You can authenticate some users via an external, single sign-on system and other users via the built-in username and password combination. (Note: When mixed authentication is in use, this plugin does not scramble passwords as described above.) When you configure your external authentication system, make sure that you allow users in even if they have not authenticated externally. Using [Shibboleth](http://shibboleth.internet2.edu/) as an example: AuthName “Shibboleth” AuthType Shibboleth Require Shibboleth This enables Shibboleth authentication in [“passive” mode](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent). Then, in WordPress: 1. Set the plugin to allow WordPress authentication. 2. Configure the login URI to match your Shibboleth system. For example, if your blog is hosted at `http://example.com/`, then your login URI should be `http://example. com/Shibboleth.sso/Login?target=%redirect_encoded%`. 3. Configure the logout URI to match your Shibboleth system. Following the above example, your logout URI would be `http://example.com/Shibboleth.sso/Logout?return=%redirect_encoded%`. After saving the options, authentication will work as follows: * If a user is already authenticated via Shibboleth, and he or she exists in the WordPress database, this plugin will log them in automatically. * If a user is not authenticated via Shibboleth, the plugin will present the standard WordPress login form with an additional link to login via Shibboleth. Other authentication systems (particularly those without a login or logout URI) will need to be configured differently. ### Does this plugin support multisite (WordPress MU) setups? Yes, you can enable this plugin across a network or on individual sites. However, options will need to be set on individual sites. If you have suggestions on how to improve network support, please submit a comment. ### How do you handle staged deployments (dev, test, prod) with the plugin? If you have a WordPress site with multiple environments (e.g. `dev.example.com`,` test.example.com`, and `example.com`) you can use additional variables in the login and logout URIs: * `%host%` – The current value of `$_SERVER['HTTP_HOST']` * `%base%` – The base domain URL (everything before the path) * `%site%` – The WordPress home URI * `%redirect%` – The return URI provided by WordPress You can also use `%host_encoded%`, `%site_encoded%`, and `%redirect_encoded%` for URL-encoded values. For example, your login URI could be: ``` https://%host%/Shibboleth.sso/Login?target=%redirect_encoded% ``` This would be modified for each environment as appropriate. ## 使用者評論 ![](https://secure.gravatar.com/avatar/037e2fac99764bf3ea69807eef5d3f0b3478d9af92b7d7019bf43739d18b4b2c? s=60&d=retro&r=g) ### 󠀁[Well-proven](https://wordpress.org/support/topic/well-proven/)󠁿 [Paul Trafford](https://profiles.wordpress.org/paul_mhs/) 2018 年 4 月 10 日 Installed HTTP Authentication in a couple of Multisite instances and configured it to use Stanford WebAuth. That was back in 2011. It was quite simple to set up and has been running reliably ever since. Now that WebAuth is EOL, am replacing with Shibboleth and this seems to work fine too. I would very much like to stick with this plugin, though as it hasn’t been updated for a while I need to consider alternatives. [ 閱讀全部 1 則使用者評論 ](https://wordpress.org/support/plugin/http-authentication/reviews/) ## 參與者及開發者 以下人員參與了開源軟體〈HTTP Authentication〉的開發相關工作。 參與者 * [ Daniel Westermann-Clark ](https://profiles.wordpress.org/dwc/) [將〈HTTP Authentication〉外掛本地化為台灣繁體中文版](https://translate.wordpress.org/projects/wp-plugins/http-authentication) ### 對開發相關資訊感興趣? 任何人均可[瀏覽程式碼](https://plugins.trac.wordpress.org/browser/http-authentication/)、 查看 [SVN 存放庫](https://plugins.svn.wordpress.org/http-authentication/),或透過 [RSS](https://plugins.trac.wordpress.org/log/http-authentication/?limit=100&mode=stop_on_copy&format=rss) 訂閱[開發記錄](https://plugins.trac.wordpress.org/log/http-authentication/)。 ## 變更記錄 #### 4.6 * Add PHP 7/8 compatibility by updating constructor to use __construct #### 4.5 * Avoid some PHP notices due to saving options (William Schneider) * Fix for redirect loop on some multisite setups (#1497) * Add option to support additional $_SERVER variables in authentication (#1477) * Remove use of call-time pass by reference to avoid warnings on PHP 5.3 and newer * Fix deprecation notice in WordPress 3.3 on `get_userdatabylogin` (#1513) * Fix deprecation notice in WordPress 3.1 and later for including wp-includes/registration. php * Associate options page label tags with their input fields (#1514) #### 4.4 * Update CSS to correctly center login button on WordPress 3.3 #### 4.3 * Update plugin URIs #### 4.2 * Declare support for WordPress 3.2.1 * Extend variable replacement for staged deployments * Wrap redirect parameter on login to force us through `wp-login.php` so we can check the external authentication (thanks to Josh Larios) #### 4.1 * Declare support for WordPress 3.2 * Update screenshots for WordPress 3.2 #### 4.0 * Restore (and improve) support for falling back to WordPress password authentication * Remove migration of old options format (we’ll assume enough people have upgraded) #### 3.3 * Update options handling to better support WordPress MU #### 3.2 * Restore password generation for adding and editing users #### 3.1 * Bump version number to make 3.0.1 the latest version on wordpress.org #### 3.0.1 * Handle authentication cookies more gracefully #### 3.0 * Add support for WordPress 3.0 * Update WordPress MU support for WordPress 3.0 #### 2.4 * Add support for WordPress MU (Elliot Kendall) * Allow for mixed HTTP and built-in authentication by falling back to wp-login. php (Elliot Kendall) ## 中繼資料 * 版本 **4.6** * 最後更新 **2 年前** * 啟用安裝數 **600+** * WordPress 版本需求 ** 3.1 或更新版本 ** * 已測試相容的 WordPress 版本 **6.5.8** * 語言 * [English (US)](https://wordpress.org/plugins/http-authentication/) * 標籤: * [authentication](https://tw.wordpress.org/plugins/tags/authentication/) * [進階檢視](https://tw.wordpress.org/plugins/http-authentication/advanced/) ## 評分 5 星,滿分為 5 星 * [ 1 個 5 星使用者評論 ](https://wordpress.org/support/plugin/http-authentication/reviews/?filter=5) * [ 0 個 4 星使用者評論 ](https://wordpress.org/support/plugin/http-authentication/reviews/?filter=4) * [ 0 個 3 星使用者評論 ](https://wordpress.org/support/plugin/http-authentication/reviews/?filter=3) * [ 0 個 2 星使用者評論 ](https://wordpress.org/support/plugin/http-authentication/reviews/?filter=2) * [ 0 個 1 星使用者評論 ](https://wordpress.org/support/plugin/http-authentication/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/http-authentication/reviews/#new-post) [查看全部使用者評論](https://wordpress.org/support/plugin/http-authentication/reviews/) ## 參與者 * [ Daniel Westermann-Clark ](https://profiles.wordpress.org/dwc/) ## 技術支援 使用者可在技術支援論壇提出意見反應或使用問題。 [檢視技術支援論壇](https://wordpress.org/support/plugin/http-authentication/)