Class AuthComponent

Authentication control component class.

Binds access control with user authentication and session management.

Cake\Controller\Component implements Cake\Event\EventListenerInterface uses Cake\Core\InstanceConfigTrait , Cake\Log\LogTrait

Cake\Controller\Component\AuthComponent uses Cake\Event\EventDispatcherTrait

Namespace: Cake\Controller\Component
Link: https://book.cakephp.org/3.0/en/controllers/components/authentication.html
Location: Controller/Component/AuthComponent.php

Constants summary

string

ALL

'all'
string

QUERY_STRING_REDIRECT

'redirect'

Properties summary

$_authenticateObjects protected

Cake\Auth\BaseAuthenticate[]
Objects that will be used for authentication checks.
$_authenticationProvider protected

Cake\Auth\BaseAuthenticate

The instance of the Authenticate provider that was used for successfully logging in the current user after calling login() in the same request
$_authorizationProvider protected

Cake\Auth\BaseAuthorize

The instance of the Authorize provider that was used to grant access to the current user to the URL they are requesting.
$_authorizeObjects protected

Cake\Auth\BaseAuthorize[]
Objects that will be used for authorization checks.
$_defaultConfig protected

array
Default config
$_storage protected

Cake\Auth\Storage\StorageInterface|null
Storage object.
$allowedActions public

array
Controller actions for which user validation is not required.
$components public

array
Other components utilized by AuthComponent
$request public

Cake\Http\ServerRequest
Request object
$response public

Cake\Http\Response
Response object
$session public

Cake\Network\Session
Instance of the Session object

Magic properties summary

$Flash public

Cake\Controller\Component\FlashComponent
$RequestHandler public

Cake\Controller\Component\RequestHandlerComponent

Inherited Properties

_componentMap, _registry _config, _configInitialized _eventClass, _eventManager

Method Summary

__get() public
Magic accessor for backward compatibility for property $sessionKey.
__set() public
Magic setter for backward compatibility for property $sessionKey.
_getUrlToRedirectBackTo() protected
Returns the URL to redirect back to or / if not possible.
_getUser() protected

Similar to AuthComponent::user() except if user is not found in configured storage, connected authentication objects will have their getUser() methods called.
_isAllowed() protected
Checks whether current action is accessible without authentication.
_isLoginAction() protected
Normalizes config loginAction and checks if current request URL is same as login action.
_loginActionRedirectUrl() protected
Returns the URL of the login action to redirect to.
_setDefaults() protected
Sets defaults for configs.
_unauthenticated() protected

Handles unauthenticated access attempt. First the unauthenticated() method of the last authenticator in the chain will be called. The authenticator can handle sending response or redirection as appropriate and return true to indicate no further action is necessary. If authenticator returns null this method redirects user to login action. If it's an AJAX request and config ajaxLogin is specified that element is rendered else a 403 HTTP status code is returned.
_unauthorized() protected
Handle unauthorized access attempt
allow() public

Takes a list of actions in the current controller for which authentication is not required, or no parameters to allow all actions.
authCheck() public

Main execution method, handles initial authentication check and redirection of invalid users.
authenticationProvider() public

If login was called during this request and the user was successfully authenticated, this function will return the instance of the authentication object that was used for logging the user in.
authorizationProvider() public

If there was any authorization processing for the current request, this function will return the instance of the Authorization object that granted access to the user to the current address.
constructAuthenticate() public
Loads the configured authentication objects.
constructAuthorize() public
Loads the authorization objects configured.
deny() public
Removes items from the list of allowed/no authentication required actions.
flash() public
Set a flash message. Uses the Flash component with values from flash config.
getAuthenticate() public
Getter for authenticate objects. Will return a particular authenticate object.
getAuthorize() public
Getter for authorize objects. Will return a particular authorize object.
identify() public

Use the configured authentication adapters, and attempt to identify the user by credentials contained in $request.
implementedEvents() public
Events supported by this component.
initialize() public
Initialize properties.
isAuthorized() public
Check if the provided user is authorized for the request.
logout() public
Log a user out.
redirectUrl() public
Get the URL a user should be redirected to upon login.
setUser() public
Set provided user info to storage as logged in user.
startup() public
Callback for Controller.startup event.
storage() public
Get/set user record storage object.
user() public
Get the current user from storage.

Method Detail

__get()source public

__get( string $name )

Magic accessor for backward compatibility for property $sessionKey.

Parameters

string $name: Property name

Returns

mixed

Overrides

Cake\Controller\Component::__get()

__set()source public

__set( string $name , mixed $value )

Magic setter for backward compatibility for property $sessionKey.

Parameters

string $name: Property name.
mixed $value: Value to set.

_getUrlToRedirectBackTo()source protected

_getUrlToRedirectBackTo( )

Returns the URL to redirect back to or / if not possible.

This method takes the referrer into account if the request is not of type GET.

Returns

string

_getUser()source protected

_getUser( )

Similar to AuthComponent::user() except if user is not found in configured storage, connected authentication objects will have their getUser() methods called.

This lets stateless authentication methods function correctly.

Returns

boolean
true If a user can be found, false if one cannot.

_isAllowed()source protected

_isAllowed( Cake\Controller\Controller $controller )

Checks whether current action is accessible without authentication.

Parameters

Cake\Controller\Controller $controller: A reference to the instantiating controller object

Returns

boolean
True if action is accessible without authentication else false

_isLoginAction()source protected

_isLoginAction( Cake\Controller\Controller $controller )

Normalizes config loginAction and checks if current request URL is same as login action.

Parameters

Cake\Controller\Controller $controller: A reference to the controller object.

Returns

boolean
True if current action is login action else false.

_loginActionRedirectUrl()source protected

_loginActionRedirectUrl( )

Returns the URL of the login action to redirect to.

This includes the redirect query string if applicable.

Returns

array|string

_setDefaults()source protected

_setDefaults( )

Sets defaults for configs.

_unauthenticated()source protected

_unauthenticated( Cake\Controller\Controller $controller )

Handles unauthenticated access attempt. First the unauthenticated() method of the last authenticator in the chain will be called. The authenticator can handle sending response or redirection as appropriate and return true to indicate no further action is necessary. If authenticator returns null this method redirects user to login action. If it's an AJAX request and config ajaxLogin is specified that element is rendered else a 403 HTTP status code is returned.

Parameters

Cake\Controller\Controller $controller: A reference to the controller object.

Returns

Cake\Http\Response|null

Null if current action is login action else response object returned by authenticate object or Controller::redirect().

Throws

Cake\Core\Exception\Exception

_unauthorized()source protected

_unauthorized( Cake\Controller\Controller $controller )

Handle unauthorized access attempt

Parameters

Cake\Controller\Controller $controller: A reference to the controller object

Returns

Cake\Http\Response

Throws

Cake\Network\Exception\ForbiddenException

allow()source public

allow( string|array|null $actions null )

Takes a list of actions in the current controller for which authentication is not required, or no parameters to allow all actions.

You can use allow with either an array or a simple string.

$this->Auth->allow('view');
$this->Auth->allow(['edit', 'add']);

or to allow all actions

$this->Auth->allow();

Parameters

string|array|null $actions optional null: Controller action name or array of actions

Link

https://book.cakephp.org/3.0/en/controllers/components/authentication.html#making-actions-public

authCheck()source public

authCheck( Cake\Event\Event $event )

Main execution method, handles initial authentication check and redirection of invalid users.

The auth check is done when event name is same as the one configured in checkAuthIn config.

Parameters

Cake\Event\Event $event: Event instance.

Returns

Cake\Http\Response|null

authenticationProvider()source public

authenticationProvider( )

If login was called during this request and the user was successfully authenticated, this function will return the instance of the authentication object that was used for logging the user in.

Returns

Cake\Auth\BaseAuthenticate|null

authorizationProvider()source public

authorizationProvider( )

If there was any authorization processing for the current request, this function will return the instance of the Authorization object that granted access to the user to the current address.

Returns

Cake\Auth\BaseAuthorize|null

constructAuthenticate()source public

constructAuthenticate( )

Loads the configured authentication objects.

Returns

array|null
The loaded authorization objects, or null on empty authenticate value.

Throws

Cake\Core\Exception\Exception

constructAuthorize()source public

constructAuthorize( )

Loads the authorization objects configured.

Returns

array|null
The loaded authorization objects, or null when authorize is empty.

Throws

Cake\Core\Exception\Exception

deny()source public

deny( string|array|null $actions null )

Removes items from the list of allowed/no authentication required actions.

You can use deny with either an array or a simple string.

$this->Auth->deny('view');
$this->Auth->deny(['edit', 'add']);

$this->Auth->deny();

to remove all items from the allowed list

Parameters

string|array|null $actions optional null: Controller action name or array of actions

See

\Cake\Controller\Component\AuthComponent::allow()

Link

https://book.cakephp.org/3.0/en/controllers/components/authentication.html#making-actions-require-authorization

flash()source public

flash( string $message )

Set a flash message. Uses the Flash component with values from flash config.

Parameters

string $message: The message to set.

getAuthenticate()source public

getAuthenticate( string $alias )

Getter for authenticate objects. Will return a particular authenticate object.

Parameters

string $alias: Alias for the authenticate object

Returns

Cake\Auth\BaseAuthenticate|null

getAuthorize()source public

getAuthorize( string $alias )

Getter for authorize objects. Will return a particular authorize object.

Parameters

string $alias: Alias for the authorize object

Returns

Cake\Auth\BaseAuthorize|null

identify()source public

identify( )

Use the configured authentication adapters, and attempt to identify the user by credentials contained in $request.

Triggers Auth.afterIdentify event which the authenticate classes can listen to.

Returns

array|boolean
User record data, or false, if the user could not be identified.

implementedEvents()source public

implementedEvents( )

Events supported by this component.

Returns

array

Overrides

Cake\Controller\Component::implementedEvents()

initialize()source public

initialize( array $config )

Initialize properties.

Parameters

array $config: The config data.

Overrides

Cake\Controller\Component::initialize()

isAuthorized()source public

isAuthorized( array|ArrayAccess|null $user null , Cake\Http\ServerRequest $request null )

Check if the provided user is authorized for the request.

Uses the configured Authorization adapters to check whether or not a user is authorized. Each adapter will be checked in sequence, if any of them return true, then the user will be authorized for the request.

Parameters

array|ArrayAccess|null $user optional null: The user to check the authorization of. If empty the user fetched from storage will be used.
Cake\Http\ServerRequest $request optional null: The request to authenticate for. If empty, the current request will be used.

Returns

boolean
True if $user is authorized, otherwise false

logout()source public

logout( )

Log a user out.

Returns the logout action to redirect to. Triggers the Auth.logout event which the authenticate classes can listen for and perform custom logout logic.

Returns

string
Normalized config logoutRedirect

Link

https://book.cakephp.org/3.0/en/controllers/components/authentication.html#logging-users-out

redirectUrl()source public

redirectUrl( string|array|null $url null )

Get the URL a user should be redirected to upon login.

Pass a URL in to set the destination a user should be redirected to upon logging in.

If no parameter is passed, gets the authentication redirect URL. The URL returned is as per following rules:

Returns the normalized redirect URL from storage if it is present and for the same domain the current app is running on.
If there is no URL returned from storage and there is a config loginRedirect, the loginRedirect value is returned.
If there is no session and no loginRedirect, / is returned.

Parameters

string|array|null $url optional null: Optional URL to write as the login redirect URL.

Returns

string
Redirect URL

setUser()source public

setUser( array|ArrayAccess $user )

Set provided user info to storage as logged in user.

The storage class is configured using storage config key or passing instance to AuthComponent::storage().

Parameters

array|ArrayAccess $user: User data.

Link

https://book.cakephp.org/3.0/en/controllers/components/authentication.html#identifying-users-and-logging-them-in

startup()source public

startup( Cake\Event\Event $event )

Callback for Controller.startup event.

Parameters

Cake\Event\Event $event: Event instance.

Returns

Cake\Http\Response|null

storage()source public

storage( Cake\Auth\Storage\StorageInterface $storage null )

Get/set user record storage object.

Parameters

Cake\Auth\Storage\StorageInterface $storage optional null: Sets provided object as storage or if null returns configured storage object.

Returns

Cake\Auth\Storage\StorageInterface|null

user()source public

user( string|null $key null )

Get the current user from storage.

Parameters

string|null $key optional null: Field to retrieve. Leave null to get entire User record.

Returns

mixed|null
Either User record or null if no user is logged in, or retrieved field if key is specified.

Link

https://book.cakephp.org/3.0/en/controllers/components/authentication.html#accessing-the-logged-in-user

Methods inherited from Cake\Controller\Component

__construct()source public

__construct( Cake\Controller\ComponentRegistry $registry , array $config [] )

Constructor

Parameters

Cake\Controller\ComponentRegistry $registry: A ComponentRegistry this component can use to lazy load its components
array $config optional []: Array of configuration settings.

__debugInfo()source public

__debugInfo( )

Returns an array that can be used to describe the internal state of this object.

Returns

array

getController()source public

getController( )

Get the controller this component is bound to.

Returns

Cake\Controller\Controller
The bound controller.

Methods used from Cake\Event\EventDispatcherTrait

dispatchEvent()source public

dispatchEvent( string $name , array|null $data null , object|null $subject null )

Wrapper for creating and dispatching events.

Returns a dispatched event.

Parameters

string $name: Name of the event.
array|null $data optional null: Any value you wish to be transported with this event to it can be read by listeners.
object|null $subject optional null: The object that this event applies to ($this by default).

Returns

Cake\Event\Event

eventManager()source public

eventManager( Cake\Event\EventManager $eventManager null )

Returns the Cake\Event\EventManager manager instance for this object.

You can use this instance to register any new listeners or callbacks to the object events, or create your own events and trigger them at will.

Deprecated

3.5.0 Use getEventManager()/setEventManager() instead.

Parameters

Cake\Event\EventManager $eventManager optional null: the eventManager to set

Returns

Cake\Event\EventManager

getEventManager()source public

getEventManager( )

Returns the Cake\Event\EventManager manager instance for this object.

You can use this instance to register any new listeners or callbacks to the object events, or create your own events and trigger them at will.

Returns

Cake\Event\EventManager

setEventManager()source public

setEventManager( Cake\Event\EventManager $eventManager )

Returns the Cake\Event\EventManager manager instance for this object.

You can use this instance to register any new listeners or callbacks to the object events, or create your own events and trigger them at will.

Parameters

Cake\Event\EventManager $eventManager: the eventManager to set

Returns

$this

Methods used from Cake\Core\InstanceConfigTrait

_configDelete()source protected

_configDelete( string $key )

Deletes a single config key.

Parameters

string $key: Key to delete.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

_configRead()source protected

_configRead( string|null $key )

Reads a config key.

Parameters

string|null $key: Key to read.

Returns

mixed

_configWrite()source protected

_configWrite( string|array $key , mixed $value , boolean|string $merge false )

Writes a config key.

Parameters

string|array $key: Key to write to.
mixed $value: Value to write.
boolean|string $merge optional false: True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

config()source public

config( string|array|null $key null , mixed|null $value null , boolean $merge true )

Gets/Sets the config.

Usage

Reading the whole config:

$this->config();

Reading a specific value:

$this->config('key');

Reading a nested value:

$this->config('some.nested.key');

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);

Deprecated

3.4.0 use setConfig()/getConfig() instead.

Parameters

string|array|null $key optional null: The key to get/set, or a complete array of configs.
mixed|null $value optional null: The value to set.
boolean $merge optional true: Whether to recursively merge or overwrite existing config, defaults to true.

Returns

mixed
Config value being read, or the object itself on write operations.

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

configShallow()source public

configShallow( string|array $key , mixed|null $value null )

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key: The key to set, or a complete array of configs.
mixed|null $value optional null: The value to set.

Returns

$this

getConfig()source public

getConfig( string|null $key null , mixed $default null )

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');

Parameters

string|null $key optional null: The key to get or null for the whole config.
mixed $default optional null: The return value when the key does not exist.

Returns

mixed
Config value being read.

setConfig()source public

setConfig( string|array $key , mixed|null $value null , boolean $merge true )

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key: The key to set, or a complete array of configs.
mixed|null $value optional null: The value to set.
boolean $merge optional true: Whether to recursively merge or overwrite existing config, defaults to true.

Returns

$this

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

Methods used from Cake\Log\LogTrait

log()source public

log( mixed $msg , integer|string $level LogLevel::ERROR , string|array $context [] )

Convenience method to write a message to Log. See Log::write() for more information on writing to logs.

Parameters

mixed $msg: Log message.
integer|string $level optional LogLevel::ERROR: Error level.
string|array $context optional []: Additional log data relevant to this message.

Returns

boolean
Success of log write.

Properties detail

$_authenticateObjectssource

protected Cake\Auth\BaseAuthenticate[]

Objects that will be used for authentication checks.

[]

$_authenticationProvidersource

protected Cake\Auth\BaseAuthenticate

The instance of the Authenticate provider that was used for successfully logging in the current user after calling login() in the same request

$_authorizationProvidersource

protected Cake\Auth\BaseAuthorize

The instance of the Authorize provider that was used to grant access to the current user to the URL they are requesting.

$_authorizeObjectssource

protected Cake\Auth\BaseAuthorize[]

Objects that will be used for authorization checks.

[]

$_defaultConfigsource

protected array

Default config

authenticate - An array of authentication objects to use for authenticating users. You can configure multiple adapters and they will be checked sequentially when users are identified.
```
$this->Auth->setConfig('authenticate', [
 'Form' => [
    'userModel' => 'Users.Users'
 ]
]);
```
Using the class name without 'Authenticate' as the key, you can pass in an array of config for each authentication object. Additionally you can define config that should be set to all authentications objects using the 'all' key:
```
$this->Auth->setConfig('authenticate', [
  AuthComponent::ALL => [
     'userModel' => 'Users.Users',
     'scope' => ['Users.active' => 1]
 ],
'Form',
'Basic'
]);
```
authorize - An array of authorization objects to use for authorizing users. You can configure multiple adapters and they will be checked sequentially when authorization checks are done.
```
$this->Auth->setConfig('authorize', [
 'Crud' => [
     'actionPath' => 'controllers/'
 ]
]);
```
Using the class name without 'Authorize' as the key, you can pass in an array of config for each authorization object. Additionally you can define config that should be set to all authorization objects using the AuthComponent::ALL key:
```
$this->Auth->setConfig('authorize', [
 AuthComponent::ALL => [
     'actionPath' => 'controllers/'
 ],
 'Crud',
 'CustomAuth'
]);
```
~~ajaxLogin~~ - The name of an optional view element to render when an Ajax request is made with an invalid or expired session. This option is deprecated since 3.3.6. Your client side code should instead check for 403 status code and show appropriate login form.
flash - Settings to use when Auth needs to do a flash message with FlashComponent::set(). Available keys are:
- key - The message domain to use for flashes generated by this component, defaults to 'auth'.
- element - Flash element to use, defaults to 'default'.
- params - The array of additional params to use, defaults to ['class' => 'error']
loginAction - A URL (defined as a string or array) to the controller action that handles logins. Defaults to /users/login.
loginRedirect - Normally, if a user is redirected to the loginAction page, the location they were redirected from will be stored in the session so that they can be redirected back after a successful login. If this session value is not set, redirectUrl() method will return the URL specified in loginRedirect.
logoutRedirect - The default action to redirect to after the user is logged out. While AuthComponent does not handle post-logout redirection, a redirect URL will be returned from AuthComponent::logout(). Defaults to loginAction.
authError - Error to display when user attempts to access an object or action to which they do not have access.
unauthorizedRedirect - Controls handling of unauthorized access.
- For default value true unauthorized user is redirected to the referrer URL or $loginRedirect or '/'.
- If set to a string or array the value is used as a URL to redirect to.
- If set to false a ForbiddenException exception is thrown instead of redirecting.
storage - Storage class to use for persisting user record. When using stateless authenticator you should set this to 'Memory'. Defaults to 'Session'.
checkAuthIn - Name of event for which initial auth checks should be done. Defaults to 'Controller.startup'. You can set it to 'Controller.initialize' if you want the check to be done before controller's beforeFilter() is run.

[
    'authenticate' => null,
    'authorize' => null,
    'ajaxLogin' => null,
    'flash' => null,
    'loginAction' => null,
    'loginRedirect' => null,
    'logoutRedirect' => null,
    'authError' => null,
    'unauthorizedRedirect' => true,
    'storage' => 'Session',
    'checkAuthIn' => 'Controller.startup'
]

$_storagesource

protected Cake\Auth\Storage\StorageInterface|null

Storage object.

$allowedActionssource

public array

Controller actions for which user validation is not required.

See

\Cake\Controller\Component\AuthComponent::allow()

[]

$componentssource

public array

Other components utilized by AuthComponent

['RequestHandler', 'Flash']

$requestsource

public Cake\Http\ServerRequest

Request object

$responsesource

public Cake\Http\Response

Response object

$sessionsource

public Cake\Network\Session

Instance of the Session object

Deprecated

3.1.0 Will be removed in 4.0

Magic properties detail

$Flashsource

public Cake\Controller\Component\FlashComponent

$RequestHandlersource

public Cake\Controller\Component\RequestHandlerComponent

© 2005–2017 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/3.4/class-Cake.Controller.Component.AuthComponent.html