X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Manual.git;a=blobdiff_plain;f=lib%2FCatalyst%2FManual%2FTutorial%2F05_Authentication.pod;h=ee0d2f9ec52340d25f2549005259d98c9f8d8216;hp=c01e7b4c9d97781c9441619dc70bb33e88e6403d;hb=532433240eb30ab0ea416cd43bfd5bbe70dfa661;hpb=21b9043a597f65f21b1a754646f52853e4a83dc1 diff --git a/lib/Catalyst/Manual/Tutorial/05_Authentication.pod b/lib/Catalyst/Manual/Tutorial/05_Authentication.pod index c01e7b4..ee0d2f9 100644 --- a/lib/Catalyst/Manual/Tutorial/05_Authentication.pod +++ b/lib/Catalyst/Manual/Tutorial/05_Authentication.pod @@ -279,13 +279,15 @@ C and place the following text above the call to C<__PACKAGE__-Esetup();>: # Configure SimpleDB Authentication - __PACKAGE__->config->{'Plugin::Authentication'} = { + __PACKAGE__->config( + 'Plugin::Authentication' => { default => { class => 'SimpleDB', user_model => 'DB::User', password_type => 'clear', }, - }; + }, + ); We could have placed this configuration in C, but placing it in C is probably a better place since it's not likely @@ -620,60 +622,55 @@ between the browser and your application, consider using SSL/TLS, made easy with the Catalyst plugin Catalyst::Plugin:RequireSSL. -=head2 Re-Run the DBIC::Schema Model Helper to Include DBIx::Class::EncodedColumn +=head2 Re-Run the DBIC::Schema Model Helper to Include DBIx::Class::PassphraseColumn Next, we can re-run the model helper to have it include -L in all of the Result Classes it generates for us. -Simply use the same command we saw in Chapters 3 and 4, but add -C<,EncodedColumn> to the C argument: +L in all of the Result Classes it generates for +us. Simply use the same command we saw in Chapters 3 and 4, but add +C<,PassphraseColumn> to the C argument: $ script/myapp_create.pl model DB DBIC::Schema MyApp::Schema \ - create=static components=TimeStamp,EncodedColumn dbi:SQLite:myapp.db \ + create=static components=TimeStamp,PassphraseColumn dbi:SQLite:myapp.db \ on_connect_do="PRAGMA foreign_keys = ON" If you then open one of the Result Classes, you will see that it -includes EncodedColumn in the C line. Take a look at +includes PassphraseColumn in the C line. Take a look at C since that's the main class where we want to use hashed and salted passwords: - __PACKAGE__->load_components("InflateColumn::DateTime", "TimeStamp", "EncodedColumn"); + __PACKAGE__->load_components("InflateColumn::DateTime", "TimeStamp", "PassphraseColumn"); -=head2 Modify the "password" Column to Use EncodedColumn +=head2 Modify the "password" Column to Use PassphraseColumn Open the file C and enter the following text below the "# DO NOT MODIFY THIS OR ANYTHING ABOVE!" line but above the closing "1;": - # Have the 'password' column use a SHA-1 hash and 10-character salt - # with hex encoding; Generate the 'check_password" method + # Have the 'password' column use a SHA-1 hash and 20-byte salt + # with RFC 2307 encoding; Generate the 'check_password" method __PACKAGE__->add_columns( 'password' => { - encode_column => 1, - encode_class => 'Digest', - encode_args => {salt_length => 10}, - encode_check_method => 'check_password', + passphrase => 'rfc2307', + passphrase_class => 'SaltedDigest', + passphrase_args => { + algorithm => 'SHA-1', + salt_random => 20. + }, + passphrase_check_method => 'check_password', }, ); -This redefines the automatically generated definition for the password -fields at the top of the Result Class file to now use EncodedColumn -logic (C is set to 1). C can be set to -either C to use -L, -or C for -L. -C is then used to customize the type of Digest you -selected. Here we only specified the size of the salt to use, but -we could have also modified the hashing algorithm ('SHA-256' is -the default) and the format to use ('base64' is the default, but -'hex' and 'binary' are other options). To use these, you could -change the C to something like: - - encode_args => {algorithm => 'SHA-1', - format => 'hex', - salt_length => 10}, - +This redefines the automatically generated definition for the password fields at +the top of the Result Class file to now use PassphraseColumn logic, storing +passwords in RFC 2307 format (C is set to C). +C can be set to the name of any C +class, such as C to use L, or +C to use L. +C is then used to customize the passphrase class you +selected. Here we specified the digest algorithm to use as C and the size +of the salt to use, but we could have also specified any other option the +selected passphrase class supports. =head2 Load Hashed Passwords in the Database @@ -697,7 +694,7 @@ C in your editor and enter the following text: $user->update; } -EncodedColumn lets us simply call C<$user->check_password($password)> +PassphraseColumn lets us simply call C<$user->check_password($password)> to see if the user has supplied the correct password, or, as we show above, call C<$user->update($new_password)> to update the hashed password stored for this user. @@ -715,18 +712,18 @@ The DBIC_TRACE output should show that the update worked: SELECT me.id, me.username, me.password, me.email_address, me.first_name, me.last_name, me.active FROM users me: UPDATE users SET password = ? WHERE ( id = ? ): - 'oXiyAcGOjowz7ISUhpIm1IrS8AxSZ9r4jNjpX9VnVeQmN6GRtRKTz', '1' + '{SSHA}esgz64CpHMo8pMfgIIszP13ft23z/zio04aCwNdm0wc6MDeloMUH4g==', '1' UPDATE users SET password = ? WHERE ( id = ? ): - 'PmyEPrkB8EGwvaF/DvJm7LIfxoZARjv8ygFIR7pc1gEA1OfwHGNzs', '2' + '{SSHA}FpGhpCJus+Ea9ne4ww8404HH+hJKW/fW+bAv1v6FuRUy2G7I2aoTRQ==', '2' UPDATE users SET password = ? WHERE ( id = ? ): - 'h7CS1Fm9UCs4hjcbu2im0HumaHCJUq4Uriac+SQgdUMUfFSoOrz3c', '3' + '{SSHA}ZyGlpiHls8qFBSbHr3r5t/iqcZE602XLMbkSVRRNl6rF8imv1abQVg==', '3' But we can further confirm our actions by dumping the users table: $ sqlite3 myapp.db "select * from users" - 1|test01|38d3974fa9e9263099f7bc2574284b2f55473a9bM=fwpX2NR8|t01@na.com|Joe|Blow|1 - 2|test02|6ed8586587e53e0d7509b1cfed5df08feadc68cbMJlnPyPt0I|t02@na.com|Jane|Doe|1 - 3|test03|af929a151340c6aed4d54d7e2651795d1ad2e2f7UW8dHoGv9z|t03@na.com|No|Go|0 + 1|test01|{SSHA}esgz64CpHMo8pMfgIIszP13ft23z/zio04aCwNdm0wc6MDeloMUH4g==|t01@na.com|Joe|Blow|1 + 2|test02|{SSHA}FpGhpCJus+Ea9ne4ww8404HH+hJKW/fW+bAv1v6FuRUy2G7I2aoTRQ==|t02@na.com|Jane|Doe|1 + 3|test03|{SSHA}ZyGlpiHls8qFBSbHr3r5t/iqcZE602XLMbkSVRRNl6rF8imv1abQVg==|t03@na.com|No|Go|0 As you can see, the passwords are much harder to steal from the database (not only are the hashes stored, but every hash is different @@ -742,13 +739,15 @@ Edit C and update it to match the following text (the only change is to the C field): # Configure SimpleDB Authentication - __PACKAGE__->config->{'Plugin::Authentication'} = { + __PACKAGE__->config( + 'Plugin::Authentication' => { default => { class => 'SimpleDB', user_model => 'DB::User', password_type => 'self_check', }, - }; + }, + ); The use of C will cause Catalyst::Plugin::Authentication::Store::DBIC to call the @@ -851,14 +850,14 @@ C<__PACKAGE__-Econfig> setting to something like: name => 'MyApp', # Disable deprecated behavior needed by old applications disable_component_resolution_regex_fallback => 1, - session => { flash_to_stash => 1 }, + 'Plugin::Session' => { flash_to_stash => 1 }, ); B add the following to C: - + flash_to_stash 1 - + The C<__PACKAGE__-Econfig> option is probably preferable here since it's not something you will want to change at runtime without it @@ -879,8 +878,11 @@ are no longer explicitly accessing C. Kennedy Clark, C -Please report any errors, issues or suggestions to the author. The -most recent version of the Catalyst Tutorial can be found at +Feel free to contact the author for any errors or suggestions, but the +best way to report issues is via the CPAN RT Bug system at +. + +The most recent version of the Catalyst Tutorial can be found at L. Copyright 2006-2010, Kennedy Clark, under the