-#!/usr/bin/perl
-
package Catalyst::Plugin::Authentication;
use base qw/Class::Accessor::Fast Class::Data::Inheritable/;
BEGIN {
__PACKAGE__->mk_accessors(qw/_user/);
- __PACKAGE__->mk_classdata($_) for qw/_auth_realms/;
}
use strict;
# constant->import(have_want => eval { require Want });
#}
-our $VERSION = "0.10";
+our $VERSION = "0.10002";
sub set_authenticated {
my ( $c, $user, $realmname ) = @_;
$c->NEXT::set_authenticated($user, $realmname);
}
-sub _should_save_user_in_session {
- my ( $c, $user ) = @_;
-
- $c->_auth_sessions_supported
- and $c->config->{authentication}{use_session}
- and $user->supports("session");
-}
-
-sub _should_load_user_from_session {
- my ( $c, $user ) = @_;
-
- $c->_auth_sessions_supported
- and $c->config->{authentication}{use_session}
- and $c->session_is_valid;
-}
-
-sub _auth_sessions_supported {
- my $c = shift;
- $c->isa("Catalyst::Plugin::Session");
-}
-
sub user {
my $c = shift;
sub _user_in_session {
my $c = shift;
- return unless $c->_should_load_user_from_session;
+ return unless
+ $c->isa("Catalyst::Plugin::Session")
+ and $c->config->{authentication}{use_session}
+ and $c->session_is_valid;
return $c->session->{__user};
}
# this sets the realm the user originated in.
$user->auth_realm($realmname);
+
return $user;
}
# we can't actually do our setup in setup because the model has not yet been loaded.
# So we have to trigger off of setup_finished. :-(
sub setup {
- my $c = shift;
+ my $app = shift;
- $c->_authentication_initialize();
- $c->NEXT::setup(@_);
+ $app->_authentication_initialize();
+ $app->NEXT::setup(@_);
}
## the actual initialization routine. whee.
sub _authentication_initialize {
- my $c = shift;
+ my $app = shift;
- if ($c->_auth_realms) { return };
-
- if (!exists($c->config->{'authentication'}) {
- $c->config->{'authentication'} = {};
- }
-
- my $cfg = $c->config->{'authentication'};
+ ## let's avoid recreating / configuring everything if we have already done it, eh?
+ if ($app->can('_auth_realms')) { return };
- %$cfg = (
- use_session => 1,
- %$cfg,
- );
+ ## make classdata where it is used.
+ $app->mk_classdata( '_auth_realms' => {});
+
+ my $cfg = $app->config->{'authentication'} ||= {};
- my $realmhash = {};
- $c->_auth_realms($realmhash);
+ $cfg->{use_session} = 1;
- ## BACKWARDS COMPATIBILITY - if realm is not defined - then we are probably dealing
- ## with an old-school config. The only caveat here is that we must add a classname
if (exists($cfg->{'realms'})) {
-
foreach my $realm (keys %{$cfg->{'realms'}}) {
- $c->setup_auth_realm($realm, $cfg->{'realms'}{$realm});
+ $app->setup_auth_realm($realm, $cfg->{'realms'}{$realm});
}
-
# if we have a 'default-realm' in the config hash and we don't already
# have a realm called 'default', we point default at the realm specified
- if (exists($cfg->{'default_realm'}) && !$c->get_auth_realm('default')) {
- $c->_set_default_auth_realm($cfg->{'default_realm'});
+ if (exists($cfg->{'default_realm'}) && !$app->get_auth_realm('default')) {
+ $app->_set_default_auth_realm($cfg->{'default_realm'});
}
} else {
+
+ ## BACKWARDS COMPATIBILITY - if realms is not defined - then we are probably dealing
+ ## with an old-school config. The only caveat here is that we must add a classname
+
+ ## also - we have to treat {store} as {stores}{default} - because
+ ## while it is not a clear as a valid config in the docs, it
+ ## is functional with the old api. Whee!
+ if (exists($cfg->{'store'}) && !exists($cfg->{'stores'}{'default'})) {
+ $cfg->{'stores'}{'default'} = $cfg->{'store'};
+ }
+
foreach my $storename (keys %{$cfg->{'stores'}}) {
my $realmcfg = {
- store => $cfg->{'stores'}{$storename},
+ store => { class => $cfg->{'stores'}{$storename} },
};
- $c->setup_auth_realm($storename, $realmcfg);
+ $app->setup_auth_realm($storename, $realmcfg);
}
}
sub setup_auth_realm {
my ($app, $realmname, $config) = @_;
- $app->log->debug("Setting up $realmname");
+ $app->log->debug("Setting up auth realm $realmname") if $app->debug;
if (!exists($config->{'store'}{'class'})) {
Carp::croak "Couldn't setup the authentication realm named '$realmname', no class defined";
}
# a little niceness - since most systems seem to use the password credential class,
# if no credential class is specified we use password.
- $config->{credential}{class} ||= "Catalyst::Plugin::Authentication::Credential::Password";
+ $config->{credential}{class} ||= '+Catalyst::Plugin::Authentication::Credential::Password';
my $credentialclass = $config->{'credential'}{'class'};
};
}
- $app->auth_realms->{$realmname}{'store'} = $storeclass->new($config->{'store'}, $app);
- $app->auth_realms->{$realmname}{'credential'} = $credentialclass->new($config->{'credential'}, $app);
-
+ ## a little cruft to stay compatible with some poorly written stores / credentials
+ ## we'll remove this soon.
+ if ($storeclass->can('new')) {
+ $app->auth_realms->{$realmname}{'store'} = $storeclass->new($config->{'store'}, $app);
+ } else {
+ $app->log->error("THIS IS DEPRECATED: $storeclass has no new() method - Attempting to use uninstantiated");
+ $app->auth_realms->{$realmname}{'store'} = $storeclass;
+ }
+ if ($credentialclass->can('new')) {
+ $app->auth_realms->{$realmname}{'credential'} = $credentialclass->new($config->{'credential'}, $app);
+ } else {
+ $app->log->error("THIS IS DEPRECATED: $credentialclass has no new() method - Attempting to use uninstantiated");
+ $app->auth_realms->{$realmname}{'credential'} = $credentialclass;
+ }
}
sub auth_realms {
if ( my $new = shift ) {
$self->auth_realms->{'default'}{'store'} = $new;
- my $storeclass = ref($new);
+
+ my $storeclass;
+ if (ref($new)) {
+ $storeclass = ref($new);
+ } else {
+ $storeclass = $new;
+ }
# BACKWARDS COMPATIBILITY - if the store class does not define find_user, we define it in terms
# of get_user and add it to the class. this is because the auth routines use find_user,
/;
# later on ...
- $c->authenticate({ username => 'myusername', password => 'mypassword' });
+ $c->authenticate({ username => 'myusername',
+ password => 'mypassword' });
my $age = $c->user->get('age');
$c->logout;
is (or isn't) allowed to do. For example, say your users are split into two
main groups - regular users and administrators. You want to verify that the
currently logged in user is indeed an administrator before performing the
-actions in an administrative part of your application. These decisionsmay be
+actions in an administrative part of your application. These decisions may be
made within your application code using just the information available after
authentication, or it may be facilitated by a number of plugins.
/;
__PACKAGE__->config->{authentication} =
- {
- default_realm => 'members',
- realms => {
- members => {
- credential => {
- class => 'Password'
- },
- store => {
- class => 'Minimal',
- users = {
- bob => {
- password => "s00p3r",
- editor => 'yes',
- roles => [qw/edit delete/],
- },
- william => {
- password => "s3cr3t",
- roles => [qw/comment/],
- }
- }
- }
- }
- }
- };
+ {
+ default_realm => 'members',
+ realms => {
+ members => {
+ credential => {
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'clear'
+ },
+ store => {
+ class => 'Minimal',
+ users = {
+ bob => {
+ password => "s00p3r",
+ editor => 'yes',
+ roles => [qw/edit delete/],
+ },
+ william => {
+ password => "s3cr3t",
+ roles => [qw/comment/],
+ }
+ }
+ }
+ }
+ }
+ };
This tells the authentication plugin what realms are available, which
}
This code should be very readable. If all the necessary fields are supplied,
-call the L<Catalyst::Plugin::Authentication/authenticate> method in the
-controller. If it succeeds the user is logged in.
+call the "authenticate" method from the controller. If it succeeds the
+user is logged in.
The credential verifier will attempt to retrieve the user whose details match
the authentication information provided to $c->authenticate(). Once it fetches
} ...
-Now suppose we want to restrict the ability to edit to a user with 'edit'
-in it's roles list.
+Now suppose we want to restrict the ability to edit to a user with an
+'editor' value of yes.
The restricted action might look like this:
$c->detach("unauthorized")
unless $c->user_exists
- and $c->user->get('editor') == 'yes';
+ and $c->user->get('editor') eq 'yes';
# do something restricted here
}
-This is somewhat similar to role based access control.
+(Note that if you have multiple realms, you can use $c->user_in_realm('realmname')
+in place of $c->user_exists(); This will essentially perform the same
+verification as user_exists, with the added requirement that if there is a
+user, it must have come from the realm specified.)
+
+The above example is somewhat similar to role based access control.
L<Catalyst::Plugin::Authentication::Store::Minimal> treats the roles field as
an array of role names. Let's leverage this. Add the role authorization
plugin:
realms => {
members => {
credential => {
- class => 'Password'
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'clear'
},
store => {
class => 'DBIx::Class',
realms => {
members => {
credential => {
- class => 'Password'
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'clear'
},
store => {
class => 'DBIx::Class',
},
admins => {
credential => {
- class => 'Password'
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'clear'
},
store => {
class => '+MyApp::Authentication::Store::NetAuth',
=item user_in_realm ( $realm )
Works like user_exists, except that it only returns true if a user is both
-logged in right now and is from the realm provided.
+logged in right now and was retrieved from the realm provided.
=item logout