X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAuthentication%2FCredential%2FHTTP.pm;h=775ec08e41108ab338c483ceeb907232795a253d;hb=b56120cde918d5d8d94aabdb48f24bfdf4682b9a;hp=f1ff62bb73787e8cf361e9cf808067b97f578e53;hpb=bf39928587b827d04613b4a7c638a7ca335b7e51;p=catagits%2FCatalyst-Authentication-Credential-HTTP.git diff --git a/lib/Catalyst/Authentication/Credential/HTTP.pm b/lib/Catalyst/Authentication/Credential/HTTP.pm index f1ff62b..775ec08 100644 --- a/lib/Catalyst/Authentication/Credential/HTTP.pm +++ b/lib/Catalyst/Authentication/Credential/HTTP.pm @@ -13,7 +13,7 @@ BEGIN { __PACKAGE__->mk_accessors(qw/_config realm/); } -our $VERSION = "1.002"; +our $VERSION = "1.005"; sub new { my ($class, $config, $app, $realm) = @_; @@ -23,12 +23,17 @@ sub new { $self->realm($realm); + $self->init; + return $self; +} + +sub init { + my ($self) = @_; my $type = $self->_config->{'type'} ||= 'any'; if (!grep /$type/, ('basic', 'digest', 'any')) { Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type); } - return $self; } sub authenticate { @@ -143,7 +148,6 @@ sub authenticate_digest { # we can store md5_hex("$username:$realm:$password") instead my $password_field = $self->_config->{password_field}; for my $r ( 0 .. 1 ) { - # FIXME - Do not assume accessor is called password. # calculate H(A1) as per spec my $A1_digest = $r ? $user->$password_field() : do { $ctx = Digest::MD5->new; @@ -258,7 +262,6 @@ sub _build_auth_header_realm { sub _build_auth_header_domain { my ( $self, $c, $opts ) = @_; - if ( my $domain = $opts->{domain} ) { Catalyst::Exception->throw("domain must be an array reference") unless ref($domain) && ref($domain) eq "ARRAY"; @@ -275,7 +278,6 @@ sub _build_auth_header_domain { sub _build_auth_header_common { my ( $self, $c, $opts ) = @_; - return ( $self->_build_auth_header_realm($c, $opts), $self->_build_auth_header_domain($c, $opts), @@ -410,6 +412,16 @@ for Catalyst. do_stuff(); } + + sub always_auth : Local { + my ( $self, $c ) = @_; + + # Force authorization headers onto the response so that the user + # is asked again for authentication, even if they successfully + # authenticated. + my $realm = $c->get_auth_realm('example'); + $realm->credential->authorization_required_response($c, $realm); + } # with ACL plugin __PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate }); @@ -448,6 +460,10 @@ C methods as shown below. Simple constructor. +=item init + +Validates that $config is ok. + =item authenticate $c, $realm, \%auth_info Tries to authenticate the user, and if that fails calls @@ -467,15 +483,23 @@ The %auth_info hash can contain a number of keys which control the authenticatio Sets the HTTP authentication realm presented to the client. Note this does not alter the Catalyst::Authentication::Realm object used for the authentication. -=item password_type +=item domain -The type of password returned by the user object. Same useage as in -L +Array reference to domains used to build the authorization headers. -=item password_field +This list of domains defines the protection space. If a domain URI is an +absolute path (starts with /), it is relative to the root URL of the server being accessed. +An absolute URI in this list may refer to a different server than the one being accessed. -The name of accessor used to retrieve the value of the password field from the user object. Same useage as in -L +The client will use this list to determine the set of URIs for which the same authentication +information may be sent. + +If this is omitted or its value is empty, the client will assume that the +protection space consists of all URIs on the responding server. + +Therefore, if your application is not hosted at the root of this domain, and you want to +prevent the authentication credentials for this application being sent to any other applications. +then you should use the I configuration option, and pass a domain of I. =back @@ -486,7 +510,14 @@ Performs HTTP basic authentication. =item authenticate_digest $c, $realm, \%auth_info Performs HTTP digest authentication. Note that the password_type B by I for -digest authentication to succeed. +digest authentication to succeed, and you must have L in +your application as digest authentication needs to store persistent data. + +Note - if you do not want to store your user passwords as clear text, then it is possible +to store instead the MD5 digest in hex of the string '$username:$realm:$password' + +Takes an additional parameter of I, the possible values of which are 'MD5' (the default) +and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617. =item authorization_required_response $c, $realm, \%auth_info @@ -515,7 +546,7 @@ All configuration is stored in C<< YourApp->config(authentication => { yourrealm This should be a hash, and it can contain the following entries: -=over 4 +=over =item type @@ -528,6 +559,23 @@ not the "manual" methods. Set this to a string to override the default body content "Authorization required.", or set to undef to suppress body content being generated. +=item password_type + +The type of password returned by the user object. Same usage as in +L + +=item password_field + +The name of accessor used to retrieve the value of the password field from the user object. Same usage as in +L + +=item use_uri_for + +If this configuration key has a true value, then the domain(s) for the authorization header will be +run through $c->uri_for(). Use this configuration option if your application is not running at the root +of your domain, and you want to ensure that authentication credentials from your application are not shared with +other applications on the same server. + =back =head1 RESTRICTIONS