use_uri_for
no_unprompted_authorization_required
require_ssl
+ broken_dotnet_digest_without_query_string
/);
-our $VERSION = '1.014';
+our $VERSION = '1.017';
sub new {
my ($class, $config, $app, $realm) = @_;
my $algorithm = $res{algorithm} || 'MD5';
my $nonce_count = '0x' . $res{nc};
- my $check = $uri eq $res{uri}
+ my $check = ($uri eq $res{uri} ||
+ ($self->broken_dotnet_digest_without_query_string &&
+ $c->request->uri->path eq $res{uri}))
&& ( exists $res{username} )
&& ( exists $res{qop} )
&& ( exists $res{cnonce} )
sub foo : Local {
my ( $self, $c ) = @_;
- $c->authenticate({ realm => "example" });
+ $c->authenticate({}, "example");
# either user gets authenticated or 401 is sent
# Note that the authentication realm sent to the client (in the
# RFC 2617 sense) is overridden here, but this *does not*
However use like this is probably not optimum it also means that users in
browsers ill never get a HTTP authenticate dialogue box (unless you manually
-return a 410 response in your application), and even some automated
+return a 401 response in your application), and even some automated
user agents (for APIs) will not send the Authorization header without
specific manipulation of the request headers.
+=item broken_dotnet_digest_without_query_string
+
+Enables support for .NET (or other similarly broken clients), which
+fails to include the query string in the uri in the digest
+Authorization header, contrary to rfc2617.
+
+This option has no effect on clients that include the query string;
+they will continue to work as normal.
+
=back
=head1 RESTRICTIONS
=item Devin Austin (dhoss) C<dhoss@cpan.org>
+=item Ronald J Kimball
+
=back
=head1 SEE ALSO
projects / catagits/Catalyst-Authentication-Credential-HTTP.git / blobdiff