X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAuthentication%2FCredential%2FHTTP.pm;h=eacc14fd92d9c68781b9a232f97b6fce2b286ee7;hb=e8cb49b7353a5a11ab7b93a3207b04ce62577fb6;hp=27a59ab638f0d217d4080498116494cf2286c8e4;hpb=c5a1fa888d417417060fa21bd72f5d862cb60513;p=catagits%2FCatalyst-Authentication-Credential-HTTP.git diff --git a/lib/Catalyst/Authentication/Credential/HTTP.pm b/lib/Catalyst/Authentication/Credential/HTTP.pm index 27a59ab..eacc14f 100644 --- a/lib/Catalyst/Authentication/Credential/HTTP.pm +++ b/lib/Catalyst/Authentication/Credential/HTTP.pm @@ -13,22 +13,28 @@ BEGIN { __PACKAGE__->mk_accessors(qw/_config realm/); } -our $VERSION = "1.004"; +our $VERSION = "1.006"; sub new { my ($class, $config, $app, $realm) = @_; + $config->{username_field} ||= 'username'; my $self = { _config => $config, _debug => $app->debug }; bless $self, $class; $self->realm($realm); + $self->init; + return $self; +} + +sub init { + my ($self) = @_; my $type = $self->_config->{'type'} ||= 'any'; if (!grep /$type/, ('basic', 'digest', 'any')) { Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type); } - return $self; } sub authenticate { @@ -53,9 +59,12 @@ sub authenticate_basic { my $headers = $c->req->headers; if ( my ( $username, $password ) = $headers->authorization_basic ) { - my $user_obj = $realm->find_user( { username => $username }, $c); - if (ref($user_obj)) { - if ($self->check_password($user_obj, {$self->_config->{password_field} => $password})) { + my $user_obj = $realm->find_user( { $self->_config->{username_field} => $username }, $c); + if (ref($user_obj)) { + my $opts = {}; + $opts->{$self->_config->{password_field}} = $password + if $self->_config->{password_field}; + if ($self->check_password($user_obj, $opts)) { $c->set_authenticated($user_obj); return $user_obj; } @@ -120,7 +129,7 @@ sub authenticate_digest { my $user; unless ( $user = $auth_info->{user} ) { - $user = $realm->find_user( { username => $username }, $c); + $user = $realm->find_user( { $self->_config->{username_field} => $username }, $c); } unless ($user) { # no user, no authentication $c->log->debug("Unable to locate user matching user info provided") if $c->debug; @@ -378,6 +387,7 @@ for Catalyst. /; __PACKAGE__->config( authentication => { + default_realm => 'example', realms => { example => { credential => { @@ -401,9 +411,11 @@ for Catalyst. $c->authenticate({ realm => "example" }); # either user gets authenticated or 401 is sent - # Note that the authentication realm sent to the client is overridden - # here, but this does not affect the Catalyst::Authentication::Realm - # used for authentication. + # Note that the authentication realm sent to the client (in the + # RFC 2617 sense) is overridden here, but this *does not* + # effect the Catalyst::Authentication::Realm used for + # authentication - to do that, you need + # $c->authenticate({}, 'otherrealm') do_stuff(); } @@ -455,6 +467,10 @@ C methods as shown below. Simple constructor. +=item init + +Validates that $config is ok. + =item authenticate $c, $realm, \%auth_info Tries to authenticate the user, and if that fails calls @@ -478,6 +494,20 @@ Catalyst::Authentication::Realm object used for the authentication. Array reference to domains used to build the authorization headers. +This list of domains defines the protection space. If a domain URI is an +absolute path (starts with /), it is relative to the root URL of the server being accessed. +An absolute URI in this list may refer to a different server than the one being accessed. + +The client will use this list to determine the set of URIs for which the same authentication +information may be sent. + +If this is omitted or its value is empty, the client will assume that the +protection space consists of all URIs on the responding server. + +Therefore, if your application is not hosted at the root of this domain, and you want to +prevent the authentication credentials for this application being sent to any other applications. +then you should use the I configuration option, and pass a domain of I. + =back =item authenticate_basic $c, $realm, \%auth_info @@ -493,6 +523,9 @@ your application as digest authentication needs to store persistent data. Note - if you do not want to store your user passwords as clear text, then it is possible to store instead the MD5 digest in hex of the string '$username:$realm:$password' +Takes an additional parameter of I, the possible values of which are 'MD5' (the default) +and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617. + =item authorization_required_response $c, $realm, \%auth_info Sets C<< $c->response >> to the correct status code, and adds the correct @@ -536,17 +569,23 @@ Set this to a string to override the default body content "Authorization require =item password_type The type of password returned by the user object. Same usage as in -L +L =item password_field The name of accessor used to retrieve the value of the password field from the user object. Same usage as in L +=item username_field + +The field name that the user's username is mapped into when finding the user from the realm. Defaults to 'username'. + =item use_uri_for If this configuration key has a true value, then the domain(s) for the authorization header will be -run through $c->uri_for() +run through $c->uri_for(). Use this configuration option if your application is not running at the root +of your domain, and you want to ensure that authentication credentials from your application are not shared with +other applications on the same server. =back