X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Manual.git;a=blobdiff_plain;f=lib%2FCatalyst%2FManual%2FTutorial%2FAuthentication.pod;h=04106439870e7081c284e2b91648d7a5ce7eff2a;hp=9c7b766daafb71cfe92da473ac3113eb7dafbd39;hb=b0eca006a93b36b6b1a7c83f2ff5508ce618f3e2;hpb=533fee734b6738d009dd5405dda9501e430a4e9f diff --git a/lib/Catalyst/Manual/Tutorial/Authentication.pod b/lib/Catalyst/Manual/Tutorial/Authentication.pod index 9c7b766..0410643 100644 --- a/lib/Catalyst/Manual/Tutorial/Authentication.pod +++ b/lib/Catalyst/Manual/Tutorial/Authentication.pod @@ -67,6 +67,7 @@ You can checkout the source code for this example from the catalyst subversion repository as per the instructions in L. + =head1 BASIC AUTHENTICATION This section explores how to add authentication logic to a Catalyst @@ -294,19 +295,25 @@ backed session store). =head2 Configure Authentication -Although C<__PACKAGE__-Econfig(name =E 'value');> is still -supported, newer Catalyst applications tend to place all configuration -information in C and automatically load this information -into Cconfig> using the +Although C<__PACKAGE__-Econfig(name =E 'value');> is still +supported, newer Catalyst applications tend to place all configuration +information in C and automatically load this information +into Cconfig> using the L plugin. -First, as noted in Part 3 of the tutorial, Catalyst has recently -switched from a default config file format of YAML to -C (an apache-like format). In case you are using a -version of Catalyst earlier than v5.7014, delete the C, or -convert it to .conf format using the TIP in -L; then simply follow the -directions below to create a new C file. +As discussed in Part 3 of the tutorial, Catalyst has recently +switched from a default config file format of YAML to +L (an apache-like format). In case +you are using a version of Catalyst earlier than v5.7014, delete the +C, or convert it to .conf format using the TIP in +L +then simply follow the directions below to create a new C +file. Although we will use the C format here because +YAML files can be difficult to cut and paste in certain environments, +you are free to use any format supported by +L and +L -- Catalyst will transparently handle the +different formats. Here, we need to load several parameters that tell L @@ -350,10 +357,6 @@ C file and update it to match: Inline comments in the code above explain how each field is being used. -Note that you can use many other config file formats with catalyst. -See L -for details. - =head2 Add Login and Logout Controllers @@ -362,16 +365,16 @@ Use the Catalyst create script to create two stub controller files: $ script/myapp_create.pl controller Login $ script/myapp_create.pl controller Logout -B You could easily use a single controller here. For example, -you could have a C controller with both C and C -actions. Remember, Catalyst is designed to be very flexible, and leaves -such matters up to you, the designer and programmer. +You could easily use a single controller here. For example, you could +have a C controller with both C and C actions. +Remember, Catalyst is designed to be very flexible, and leaves such +matters up to you, the designer and programmer. -Then open C, locate the C method (or C if you are using an -older version of Catalyst) that was automatically inserted by the -helpers when we created the Login controller above, and update the -definition of C to match: +Then open C, locate the +C method (or C if you +are using an older version of Catalyst) that was automatically +inserted by the helpers when we created the Login controller above, +and update the definition of C to match: =head2 index @@ -392,7 +395,8 @@ definition of C to match: if ($c->authenticate({ username => $username, password => $password } )) { # If successful, then let them use the application - $c->response->redirect($c->uri_for('/books/list')); + $c->response->redirect($c->uri_for( + $c->controller('Books')->action_for('list'))); return; } else { # Set an error message @@ -411,13 +415,13 @@ will stay at the login page and receive an error message. If the C and C values are not present in the form, the user will be taken to the empty login form. -Note that we could have used something like C, +Note that we could have used something like "C", however, it is generally recommended (partly for historical reasons, and partly for code clarity) only to use C in C, and then mainly to generate the 404 not found page for the application. -Instead, we are using C here to +Instead, we are using "C" here to specifically match the URL C. C actions (aka, "literal actions") create URI matches relative to the namespace of the controller where they are defined. Although C supports @@ -524,63 +528,14 @@ the following method: return 1; } - -B Catalyst provides a number of different types of actions, -such as C, C, C and the new C. You -should refer to L for -a more detailed explanation, but the following bullet points provide a -quick introduction: - -=over 4 - -=item * - -The majority of application have traditionally used C actions -for items that respond to user requests and C actions for -those that do not directly respond to user input. - -=item * - -Newer Catalyst applications tend to use C actions and the -C attribute because of their power and flexibility. You can -specify the path to match relative to the namespace of the current -module as an argument to C. For example C in -C would match on the URL -C but C would -match on C. - -=item * - -Automatic "chaining" of actions by the dispatcher is a powerful -feature that allows multiple methods to handle a single URL. See -L -for more information on chained actions. - -=item * - -There are five types of build-in C actions: C, C, -C, C, and C. - -=item * - -With C, C, C, C private actions, only the -most specific action of each type will be called. For example, if you -define a C action in your controller it will I a -C action in your application/root controller -- I the -action in your controller will be called. - -=item * - -Unlike the other actions where only a single method is called for each -request, I auto action along the chain of namespaces will be -called. Each C action will be called I. - -=back - -By placing the authentication enforcement code inside the C method -of C (or C), it will be -called for I request that is received by the entire application. +As discussed in +L, +every C method from the application/root controller down to the +most specific controller will be called. By placing the +authentication enforcement code inside the C method of +C (or C), it will be +called for I request that is received by the entire +application. =head2 Displaying Content Only to Authenticated Users @@ -627,8 +582,8 @@ running) and restart it: B If you are having issues with authentication on Internet Explorer, be sure to check the system clocks on both your server and client machines. Internet Explorer is very picky about -timestamps for cookies. Note that you can quickly sync an Ubuntu -system with the following command: +timestamps for cookies. You can quickly sync an Ubuntu system with +the following command: sudo ntpdate ntp.ubuntu.com @@ -649,7 +604,7 @@ bottom (below the closing tag):

Login - Create + Create

Reload your browser and you should now see a "Login" and "Create" links @@ -671,12 +626,16 @@ from cleartext passwords to SHA-1 password hashes. B This section is optional. You can skip it and the rest of the tutorial will function normally. -Note that even with the techniques shown in this section, the browser +Be aware that even with the techniques shown in this section, the browser still transmits the passwords in cleartext to your application. We are just avoiding the I of cleartext passwords in the database by using a SHA-1 hash. If you are concerned about cleartext passwords between the browser and your application, consider using SSL/TLS, made -easy with the Catalyst plugin Catalyst::Plugin:RequireSSL. +easy with the Catalyst plugin Catalyst::Plugin:RequireSSL. You should +also consider adding a "salt" mechanism to your hashed passwords to +mitigate the risk of a "rainbow table" crack against your passwords (see +L +for more information on using a salt value). =head2 Get a SHA-1 Hash for the Password @@ -777,7 +736,7 @@ running) and restart it: $ script/myapp_server.pl You should now be able to go to L and -login as before. When done, click the "Logout" link on the login page +login as before. When done, click the "logout" link on the login page (or point your browser at L). @@ -788,10 +747,10 @@ variables in a way that is very similar to C, but it will remain set across multiple requests. Once the value is read, it is cleared (unless reset). Although C has nothing to do with authentication, it does leverage the same session plugins. Now that -those plugins are enabled, let's go back and improve the "delete +those plugins are enabled, let's go back and update the "delete and redirect with query parameters" code seen at the end of the L part of the -tutorial. +tutorial to take advantage of C. First, open C and modify C to match the following (everything after the model search line of code @@ -803,18 +762,18 @@ has changed): =cut - sub delete : Local { - # $id = primary key of book to delete - my ($self, $c, $id) = @_; + sub delete :Chained('object') :PathPart('delete') :Args(0) { + my ($self, $c) = @_; - # Search for the book and then delete it - $c->model('DB::Books')->search({id => $id})->delete_all; + # Use the book object saved by 'object' and delete it along + # with related 'book_authors' entries + $c->stash->{object}->delete; # Use 'flash' to save information across requests until it's read $c->flash->{status_msg} = "Book deleted"; # Redirect the user back to the list page - $c->response->redirect($c->uri_for('/books/list')); + $c->response->redirect($c->uri_for($self->action_for('list'))); } Next, open C and update the TT code to pull from @@ -838,10 +797,10 @@ Cspan class="message"E> line. =head2 Try Out Flash -Restart the development server and point your browser to -L to create an extra -several books. Click the "Return to list" link and delete one of the -"Test" books you just added. The C mechanism should retain our +Restart the development server, log in, and then point your browser to +L to create an extra +several books. Click the "Return to list" link and delete one of the +"Test" books you just added. The C mechanism should retain our "Book deleted" status message across the redirect. B While C will save information across multiple requests, @@ -855,13 +814,12 @@ information. =head2 Switch To Flash-To-Stash -Although the a use of flash above is certainly an improvement over the -C we employed in Part 4 of the tutorial, the +Although the a use of flash above works well, the C statement is a little ugly. A nice alternative is to use the C feature that automatically copies the content of flash to stash. This makes your controller and template code work regardless of where it was directly access, a -forward, or a redirect. To enable C, you can either +forward, or a redirect. To enable C, you can either set the value in C by changing the default C<__PACKAGE__-Econfig> setting to something like: