package Catalyst::Authentication::Credential::HTTP;
+# ABSTRACT: HTTP Basic and Digest authentication for Catalyst
+
use base qw/Catalyst::Authentication::Credential::Password/;
use strict;
use_uri_for
no_unprompted_authorization_required
require_ssl
+ broken_dotnet_digest_without_query_string
/);
-our $VERSION = '1.013';
+our $VERSION = '1.018';
sub new {
my ($class, $config, $app, $realm) = @_;
my $algorithm = $res{algorithm} || 'MD5';
my $nonce_count = '0x' . $res{nc};
- my $check = $uri eq $res{uri}
+ my $check = ($uri eq $res{uri} ||
+ ($self->broken_dotnet_digest_without_query_string &&
+ $c->request->uri->path eq $res{uri}))
&& ( exists $res{username} )
&& ( exists $res{qop} )
&& ( exists $res{cnonce} )
return $c->cache->set( $key, $nonce );
}
-package Catalyst::Authentication::Credential::HTTP::Nonce;
+package # hide from PAUSE
+ Catalyst::Authentication::Credential::HTTP::Nonce;
use strict;
use base qw[ Class::Accessor::Fast ];
-use Data::UUID ();
-
-our $VERSION = '0.02';
+use Data::UUID 0.11 ();
__PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);
=pod
-=head1 NAME
-
-Catalyst::Authentication::Credential::HTTP - HTTP Basic and Digest authentication
-for Catalyst.
+=for stopwords
+rfc
+rfc2617
+auth
+sess
=head1 SYNOPSIS
sub foo : Local {
my ( $self, $c ) = @_;
- $c->authenticate({ realm => "example" });
+ $c->authenticate({}, "example");
# either user gets authenticated or 401 is sent
# Note that the authentication realm sent to the client (in the
# RFC 2617 sense) is overridden here, but this *does not*
However use like this is probably not optimum it also means that users in
browsers ill never get a HTTP authenticate dialogue box (unless you manually
-return a 410 response in your application), and even some programatic
+return a 401 response in your application), and even some automated
user agents (for APIs) will not send the Authorization header without
specific manipulation of the request headers.
+=item broken_dotnet_digest_without_query_string
+
+Enables support for .NET (or other similarly broken clients), which
+fails to include the query string in the uri in the digest
+Authorization header, contrary to rfc2617.
+
+This option has no effect on clients that include the query string;
+they will continue to work as normal.
+
=back
=head1 RESTRICTIONS
L<Catalyst::Authentication::Store::DBIC> stores whose
C<password> methods return a hashed or salted version of the password.
-=head1 AUTHORS
-
-Updated to current name space and currently maintained
-by: Tomas Doran C<bobtfish@bobtfish.net>.
-
-Original module by:
-
-=over
-
-=item Yuval Kogman, C<nothingmuch@woobling.org>
-
-=item Jess Robinson
-
-=item Sascha Kiefer C<esskar@cpan.org>
-
-=back
-
-=head1 CONTRIBUTORS
-
-Patches contributed by:
-
-=over
-
-=item Peter Corlett
-
-=item Devin Austin (dhoss) C<dhoss@cpan.org>
-
-=back
-
=head1 SEE ALSO
RFC 2617 (or its successors), L<Catalyst::Plugin::Cache>, L<Catalyst::Plugin::Authentication>
-=head1 COPYRIGHT & LICENSE
-
- Copyright (c) 2005-2008 the aforementioned authors. All rights
- reserved. This program is free software; you can redistribute
- it and/or modify it under the same terms as Perl itself.
-
=cut
-