i used Zend Rest Controller for developing a web service, and now i need to authenticate users before they can access my page.

For this, iam planning to use HTTP Authentication with curl, like this:

curl_setopt($ch, CURLOPT_USERPWD, "myusername:mypassword"); 

And i call that curl page like this:

curl -u myusername:mypassword http://localhost/controller/action/page.xml

I have a big doubt.

Do i need to store the usernames and passwords in a .htpasswd file? If so, how do i need to retrieve parameters and validate them ?

If you use .htaccess the webserver will silently handle everything for you. you can assume (unless you have made a mistake) that the person is authorised.

But if you want to use http auth and get the user name and password to use in your own login system then you need to write the script thats being called like shown here.

http://php.net/manual/en/features.http-auth.php

Apart from sending through the username and password curl really has nothing to do with it. it just acts as a http client, just like a webbrowser is.

How you perform auth comes down to what you are trying to achieve. http auth is a simple authentication system.

DC

The link that I gave you shows you how to do it. The page you are calling MUST send back an authentication request otherwise curl will not forward the authentication details.

if you use a .htaccess and .htpasswd file you WILL NOT get to see the authentication because the webserver will remove those headers. If you are using a custom http auth like the one in the link I provided then you will get access to them ONLY after the auth request is sent, which means the first time the page is loaded you won't get them.

What I mean by that is.. first curl asks for the page without any credentials, if it gets the page then it stops, if it gets a request for credentials it then sends them.

This means if you want http://localhost/controller/action/page.xml to see the credentials then it must ask for them. if its a static page which it looks like it is, then it will not ask for the credentials.

did you mean to type http://localhost/controller/action/page.php

DC

the process goes like this...

curl                   ---> page.php (first request)
curl                   <--- page.php (first reply) "Please identify yourself" ('401 unauthorised' http code)
curl username:password ---> page.php (second request now includes user auth)
curl                   <--- page.php (second reply) ok here is the page (if id succesfull)

Ok as promised some working examples

first create 2 php scripts

auth.php is a modified copy of the example provided from the link I posted above

<?php

if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo "User name and password is required. Please try again.\n";
} else {
    // we now have access to the user and password :)
    echo "Hello {$_SERVER['PHP_AUTH_USER']}\n";
    echo "You entered {$_SERVER['PHP_AUTH_PW']} as your password.\n";
}

?>  

curlfetch.php is a copy of your script from your other post

<?php

$curl = curl_init('http://localhost/auth.php');
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_USERPWD, 'key:123456');
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_USERAGENT, 'Sample Code');

$response = curl_exec($curl);
$resultStatus = curl_getinfo($curl);

if($resultStatus['http_code'] == 200) {
    echo $response;
} else {
    echo 'Call Failed '.print_r($resultStatus);
}
?>

create and save those scripts on your server

now test script 1 without a password

curl http://localhost/auth.php

This results in...

User name and password is required. Please try again.

Now try with a password

curl -u user:pass http://localhost/auth.php

This results in...

Hello user
You entered pass as your password.

Now try the second script, Note we don't supply a username or password as that is supplied within the script

curl http://localhost/curlfetch.php 

That results in...

Hello key
You entered 123456 as your password.

Now as a reference try calling both scripts from your browser

DC