package Catalyst::Authentication::Credential::HTTP;
-use base qw/Catalyst::Component/;
+use base qw/Catalyst::Authentication::Credential::Password/;
use strict;
use warnings;
use Catalyst ();
use Digest::MD5 ();
-BEGIN {
- __PACKAGE__->mk_accessors(qw/_config realm/);
-}
+__PACKAGE__->mk_accessors(qw/
+ _config
+ authorization_required_message
+ password_field
+ username_field
+ type
+ realm
+ algorithm
+ use_uri_for
+/);
-our $VERSION = "1.000";
+our $VERSION = '1.012';
sub new {
my ($class, $config, $app, $realm) = @_;
- my $self = { _config => $config, _debug => $app->debug };
+ $config->{username_field} ||= 'username';
+ # _config is shity back-compat with our base class.
+ my $self = { %$config, _config => $config, _debug => $app->debug ? 1 : 0 };
bless $self, $class;
$self->realm($realm);
- my $type = $self->_config->{'type'} ||= 'any';
+ $self->init;
+ return $self;
+}
+
+sub init {
+ my ($self) = @_;
+ my $type = $self->type || 'any';
if (!grep /$type/, ('basic', 'digest', 'any')) {
Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type);
}
- return $self;
+ $self->type($type);
}
sub authenticate {
my $headers = $c->req->headers;
if ( my ( $username, $password ) = $headers->authorization_basic ) {
- my $user_obj = $realm->find_user( { username => $username }, $c);
- if (ref($user_obj)) {
- if ($user_obj->check_password($password)) {
- $c->set_authenticated($user_obj);
+ my $user_obj = $realm->find_user( { $self->username_field => $username }, $c);
+ if (ref($user_obj)) {
+ my $opts = {};
+ $opts->{$self->password_field} = $password
+ if $self->password_field;
+ if ($self->check_password($user_obj, $opts)) {
return $user_obj;
}
- }
- else {
- $c->log->debug("Unable to locate user matching user info provided") if $c->debug;
+ else {
+ $c->log->debug("Password mismatch!") if $c->debug;
+ return;
+ }
+ }
+ else {
+ $c->log->debug("Unable to locate user matching user info provided")
+ if $c->debug;
return;
}
}
$c->log->debug('Checking authentication parameters.')
if $c->debug;
- my $uri = '/' . $c->request->path;
+ my $uri = $c->request->uri->path_query;
my $algorithm = $res{algorithm} || 'MD5';
my $nonce_count = '0x' . $res{nc};
my $username = $res{username};
- my $user;
+ my $user_obj;
- unless ( $user = $auth_info->{user} ) {
- $user = $realm->find_user( { username => $username }, $c);
+ unless ( $user_obj = $auth_info->{user} ) {
+ $user_obj = $realm->find_user( { $self->username_field => $username }, $c);
}
- unless ($user) { # no user, no authentication
+ unless ($user_obj) { # no user, no authentication
$c->log->debug("Unable to locate user matching user info provided") if $c->debug;
return;
}
# the idea of the for loop:
# if we do not want to store the plain password in our user store,
# we can store md5_hex("$username:$realm:$password") instead
+ my $password_field = $self->password_field;
for my $r ( 0 .. 1 ) {
-
# calculate H(A1) as per spec
- my $A1_digest = $r ? $user->password : do {
+ my $A1_digest = $r ? $user_obj->$password_field() : do {
$ctx = Digest::MD5->new;
- $ctx->add( join( ':', $username, $realm->name, $user->password ) );
+ $ctx->add( join( ':', $username, $realm->name, $user_obj->$password_field() ) );
$ctx->hexdigest;
};
if ( $nonce->algorithm eq 'MD5-sess' ) {
$c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque,
$nonce );
if ($rq_digest eq $res{response}) {
- $c->set_authenticated($user);
- return 1;
+ return $user_obj;
}
}
}
sub _is_http_auth_type {
my ( $self, $type ) = @_;
- my $cfgtype = lc( $self->_config->{'type'} || 'any' );
+ my $cfgtype = lc( $self->type );
return 1 if $cfgtype eq 'any' || $cfgtype eq lc $type;
return 0;
}
$c->res->status(401);
$c->res->content_type('text/plain');
- if (exists $self->_config->{authorization_required_message}) {
+ if (exists $self->{authorization_required_message}) {
# If you set the key to undef, don't stamp on the body.
- $c->res->body($self->_config->{authorization_required_message})
- if defined $c->res->body($self->_config->{authorization_required_message});
+ $c->res->body($self->authorization_required_message)
+ if defined $self->authorization_required_message;
}
else {
$c->res->body('Authorization required.');
}
sub _build_auth_header_realm {
- my ( $self ) = @_;
-
- if ( my $realm = $self->realm ) {
- my $realm_name = String::Escape::qprintable($realm->name);
+ my ( $self, $c, $opts ) = @_;
+ if ( my $realm_name = String::Escape::qprintable($opts->{realm} ? $opts->{realm} : $self->realm->name) ) {
$realm_name = qq{"$realm_name"} unless $realm_name =~ /^"/;
return 'realm=' . $realm_name;
}
sub _build_auth_header_domain {
my ( $self, $c, $opts ) = @_;
-
if ( my $domain = $opts->{domain} ) {
Catalyst::Exception->throw("domain must be an array reference")
unless ref($domain) && ref($domain) eq "ARRAY";
my @uris =
- $self->_config->{use_uri_for}
+ $self->use_uri_for
? ( map { $c->uri_for($_) } @$domain )
: ( map { URI::Escape::uri_escape($_) } @$domain );
sub _build_auth_header_common {
my ( $self, $c, $opts ) = @_;
-
return (
- $self->_build_auth_header_realm(),
+ $self->_build_auth_header_realm($c, $opts),
$self->_build_auth_header_domain($c, $opts),
);
}
my $nonce = $package->new;
- if ( my $algorithm = $opts->{algorithm} || $self->_config->{algorithm}) {
+ if ( my $algorithm = $opts->{algorithm} || $self->algorithm) {
$nonce->algorithm( $algorithm );
}
/;
__PACKAGE__->config( authentication => {
+ default_realm => 'example',
realms => {
example => {
credential => {
class => 'HTTP',
type => 'any', # or 'digest' or 'basic'
+ password_type => 'clear',
+ password_field => 'password'
},
store => {
class => 'Minimal',
$c->authenticate({ realm => "example" });
# either user gets authenticated or 401 is sent
+ # Note that the authentication realm sent to the client (in the
+ # RFC 2617 sense) is overridden here, but this *does not*
+ # effect the Catalyst::Authentication::Realm used for
+ # authentication - to do that, you need
+ # $c->authenticate({}, 'otherrealm')
do_stuff();
}
+
+ sub always_auth : Local {
+ my ( $self, $c ) = @_;
+
+ # Force authorization headers onto the response so that the user
+ # is asked again for authentication, even if they successfully
+ # authenticated.
+ my $realm = $c->get_auth_realm('example');
+ $realm->credential->authorization_required_response($c, $realm);
+ }
# with ACL plugin
__PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate });
Simple constructor.
+=item init
+
+Validates that $config is ok.
+
=item authenticate $c, $realm, \%auth_info
Tries to authenticate the user, and if that fails calls
This will only try the methods set in the configuration. First digest, then basic.
-This method just passes the options through untouched. See the next two methods for what \%auth_info can contain.
+The %auth_info hash can contain a number of keys which control the authentication behaviour:
+
+=over
+
+=item realm
+
+Sets the HTTP authentication realm presented to the client. Note this does not alter the
+Catalyst::Authentication::Realm object used for the authentication.
+
+=item domain
+
+Array reference to domains used to build the authorization headers.
+
+This list of domains defines the protection space. If a domain URI is an
+absolute path (starts with /), it is relative to the root URL of the server being accessed.
+An absolute URI in this list may refer to a different server than the one being accessed.
+
+The client will use this list to determine the set of URIs for which the same authentication
+information may be sent.
+
+If this is omitted or its value is empty, the client will assume that the
+protection space consists of all URIs on the responding server.
+
+Therefore, if your application is not hosted at the root of this domain, and you want to
+prevent the authentication credentials for this application being sent to any other applications.
+then you should use the I<use_uri_for> configuration option, and pass a domain of I</>.
+
+=back
=item authenticate_basic $c, $realm, \%auth_info
+Performs HTTP basic authentication.
+
=item authenticate_digest $c, $realm, \%auth_info
-Try to authenticate one of the methods without checking if the method is
-allowed in the configuration.
+Performs HTTP digest authentication. Note that the password_type B<must> by I<clear> for
+digest authentication to succeed, and you must have L<Catalyst::Plugin::Session> in
+your application as digest authentication needs to store persistent data.
+
+Note - if you do not want to store your user passwords as clear text, then it is possible
+to store instead the MD5 digest in hex of the string '$username:$realm:$password'
+
+Takes an additional parameter of I<algorithm>, the possible values of which are 'MD5' (the default)
+and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617.
=item authorization_required_response $c, $realm, \%auth_info
This should be a hash, and it can contain the following entries:
-=over 4
+=over
=item type
Set this to a string to override the default body content "Authorization required.", or set to undef to suppress body content being generated.
+=item password_type
+
+The type of password returned by the user object. Same usage as in
+L<Catalyst::Authentication::Credential::Password|Catalyst::Authentication::Credential::Password/password_type>
+
+=item password_field
+
+The name of accessor used to retrieve the value of the password field from the user object. Same usage as in
+L<Catalyst::Authentication::Credential::Password|Catalyst::Authentication::Credential::Password/password_field>
+
+=item username_field
+
+The field name that the user's username is mapped into when finding the user from the realm. Defaults to 'username'.
+
+=item use_uri_for
+
+If this configuration key has a true value, then the domain(s) for the authorization header will be
+run through $c->uri_for(). Use this configuration option if your application is not running at the root
+of your domain, and you want to ensure that authentication credentials from your application are not shared with
+other applications on the same server.
+
=back
=head1 RESTRICTIONS
Updated to current name space and currently maintained
by: Tomas Doran C<bobtfish@bobtfish.net>.
-Original module by:
+Original module by:
=over
=back
+=head1 CONTRIBUTORS
+
+Patches contributed by:
+
+=over
+
+=item Peter Corlett
+
+=item Devin Austin (dhoss) C<dhoss@cpan.org>
+
+=back
+
=head1 SEE ALSO
RFC 2617 (or its successors), L<Catalyst::Plugin::Cache>, L<Catalyst::Plugin::Authentication>
projects / catagits/Catalyst-Authentication-Credential-HTTP.git / blobdiff