Basic authentication (often referred to as "basic auth") is the pop-up box that asks for a username and password that shows up when you first try to access a UAT environment.
It secures requests processed by PHP and SilverStripe on your webserver. Most commonly, that applies to page content, as well as draft and protected assets. It does not secure requests to published assets, and other files which are served directly through the web server (bypassing PHP and SilverStripe).
In order to fully prevent unauthorised requests to an environment, we strongly recommend implementing an IP whitelist.
Getting through the pop-up
In order to get through basic auth you must have a CMS account on the environment you are trying to access and your CMS account must have the permission "Allow users to use their accounts to access the UAT server". If you meet both of these criteria then you can use your email address and password (as defined in the CMS of the environment) to get through the pop-up box.
By default, the permission "Allow users to use their accounts to access the UAT server" is granted only to the "Administrator" group but it can be granted to other groups too.
Disabling on UAT and test environments
UAT and test environments have basic auth enabled by default. You can disable this in your codebase with the following code in your config.yml
:
---
Name: mysitesecuritytest
After: '#cwpsecuritytest'
Only:
environment: test
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Security\BasicAuthMiddleware:
properties:
URLPatterns:
'#.*#': false
Enabling in production
Production is not protected with basic auth by default, but you may want to enable it in order to lock down the site prior to go-live. To enable, in your config.yml
add:
---
Name: mysitesecuritylive
After: '#cwpsecuritylive'
---
SilverStripe\Security\BasicAuth:
entire_site_protected: true