subversion repository as per the instructions in
L<Catalyst::Manual::Tutorial::Intro|Catalyst::Manual::Tutorial::Intro>.
+
=head1 BASIC AUTHENTICATION
This section explores how to add authentication logic to a Catalyst
=head2 Configure Authentication
-Although C<__PACKAGE__-E<gt>config(name =E<gt> 'value');> is still
-supported, newer Catalyst applications tend to place all configuration
-information in C<myapp.conf> and automatically load this information
-into C<MyApp-E<gt>config> using the
+Although C<__PACKAGE__-E<gt>config(name =E<gt> 'value');> is still
+supported, newer Catalyst applications tend to place all configuration
+information in C<myapp.conf> and automatically load this information
+into C<MyApp-E<gt>config> using the
L<ConfigLoader|Catalyst::Plugin::ConfigLoader> plugin.
-First, as noted in Part 3 of the tutorial, Catalyst has recently
-switched from a default config file format of YAML to
-C<Config::General> (an apache-like format). In case you are using a
-version of Catalyst earlier than v5.7014, delete the C<myapp.yml>, or
-convert it to .conf format using the TIP in
-L<Catalyst::Manual::MoreCatalystBasics>; then simply follow the
-directions below to create a new C<myapp.conf> file.
+As discussed in Part 3 of the tutorial, Catalyst has recently
+switched from a default config file format of YAML to
+L<Config::General|Config::General> (an apache-like format). In case
+you are using a version of Catalyst earlier than v5.7014, delete the
+C<myapp.yml>, or convert it to .conf format using the TIP in
+L<Catalyst::Manual::MoreCatalystBasics/EDIT THE LIST OF CATALYST PLUGINS>
+then simply follow the directions below to create a new C<myapp.conf>
+file. Although we will use the C<Config::General> format here because
+YAML files can be difficult to cut and paste in certain environments,
+you are free to use any format supported by
+L<Catalyst::Plugin::ConfigLoader|Catalyst::Plugin::ConfigLoader> and
+L<Config::Any|Config::Any> -- Catalyst will transparently handle the
+different formats.
Here, we need to load several parameters that tell
L<Catalyst::Plugin::Authentication|Catalyst::Plugin::Authentication>
Inline comments in the code above explain how each field is being used.
-Note that you can use many other config file formats with catalyst.
-See L<Catalyst::Plugin::ConfigLoader|Catalyst::Plugin::ConfigLoader>
-for details.
-
=head2 Add Login and Logout Controllers
$ script/myapp_create.pl controller Login
$ script/myapp_create.pl controller Logout
-B<NOTE:> You could easily use a single controller here. For example,
-you could have a C<User> controller with both C<login> and C<logout>
-actions. Remember, Catalyst is designed to be very flexible, and leaves
-such matters up to you, the designer and programmer.
+You could easily use a single controller here. For example, you could
+have a C<User> controller with both C<login> and C<logout> actions.
+Remember, Catalyst is designed to be very flexible, and leaves such
+matters up to you, the designer and programmer.
-Then open C<lib/MyApp/Controller/Login.pm>, locate the C<sub index
-:Path :Args(0)> method (or C<sub index : Private> if you are using an
-older version of Catalyst) that was automatically inserted by the
-helpers when we created the Login controller above, and update the
-definition of C<sub index> to match:
+Then open C<lib/MyApp/Controller/Login.pm>, locate the
+C<sub index :Path :Args(0)> method (or C<sub index : Private> if you
+are using an older version of Catalyst) that was automatically
+inserted by the helpers when we created the Login controller above,
+and update the definition of C<sub index> to match:
=head2 index
C<username> and C<password> values are not present in the form, the
user will be taken to the empty login form.
-Note that we could have used something like C<sub default :Path>,
+Note that we could have used something like "C<sub default :Path>",
however, it is generally recommended (partly for historical reasons,
and partly for code clarity) only to use C<default> in
C<MyApp::Controller::Root>, and then mainly to generate the 404 not
found page for the application.
-Instead, we are using C<sub somename :Path :Args(0) {...}> here to
+Instead, we are using "C<sub somename :Path :Args(0) {...}>" here to
specifically match the URL C</login>. C<Path> actions (aka, "literal
actions") create URI matches relative to the namespace of the
controller where they are defined. Although C<Path> supports
B<IMPORTANT NOTE:> If you are having issues with authentication on
Internet Explorer, be sure to check the system clocks on both your
server and client machines. Internet Explorer is very picky about
-timestamps for cookies. Note that you can quickly sync an Ubuntu
-system with the following command:
+timestamps for cookies. You can quickly sync an Ubuntu system with
+the following command:
sudo ntpdate ntp.ubuntu.com
B<Note:> This section is optional. You can skip it and the rest of the
tutorial will function normally.
-Note that even with the techniques shown in this section, the browser
+Be aware that even with the techniques shown in this section, the browser
still transmits the passwords in cleartext to your application. We are
just avoiding the I<storage> of cleartext passwords in the database by
using a SHA-1 hash. If you are concerned about cleartext passwords
between the browser and your application, consider using SSL/TLS, made
-easy with the Catalyst plugin Catalyst::Plugin:RequireSSL.
+easy with the Catalyst plugin Catalyst::Plugin:RequireSSL. You should
+also consider adding a "salt" mechanism to your hashed passwords to
+mitigate the risk of a "rainbow table" crack against your passwords.
=head2 Get a SHA-1 Hash for the Password
$ script/myapp_server.pl
You should now be able to go to L<http://localhost:3000/books/list> and
-login as before. When done, click the "Logout" link on the login page
+login as before. When done, click the "logout" link on the login page
(or point your browser at L<http://localhost:3000/logout>).
remain set across multiple requests. Once the value is read, it
is cleared (unless reset). Although C<flash> has nothing to do with
authentication, it does leverage the same session plugins. Now that
-those plugins are enabled, let's go back and improve the "delete
+those plugins are enabled, let's go back and update the "delete
and redirect with query parameters" code seen at the end of the
L<Basic CRUD|Catalyst::Manual::Tutorial::BasicCRUD> part of the
-tutorial.
+tutorial to take advantage of C<flash>.
First, open C<lib/MyApp/Controller/Books.pm> and modify C<sub delete>
to match the following (everything after the model search line of code
=cut
- sub delete : Local {
- # $id = primary key of book to delete
- my ($self, $c, $id) = @_;
+ sub delete :Chained('object') :PathPart('delete') :Args(0) {
+ my ($self, $c) = @_;
- # Search for the book and then delete it
- $c->model('DB::Books')->search({id => $id})->delete_all;
+ # Use the book object saved by 'object' and delete it along
+ # with related 'book_authors' entries
+ $c->stash->{object}->delete;
# Use 'flash' to save information across requests until it's read
$c->flash->{status_msg} = "Book deleted";
=head2 Try Out Flash
-Restart the development server and point your browser to
-L<http://localhost:3000/books/url_create/Test/1/4> to create an extra
-several books. Click the "Return to list" link and delete one of the
-"Test" books you just added. The C<flash> mechanism should retain our
+Restart the development server, log in, and then point your browser to
+L<http://localhost:3000/books/url_create/Test/1/4> to create an extra
+several books. Click the "Return to list" link and delete one of the
+"Test" books you just added. The C<flash> mechanism should retain our
"Book deleted" status message across the redirect.
B<NOTE:> While C<flash> will save information across multiple requests,
=head2 Switch To Flash-To-Stash
-Although the a use of flash above is certainly an improvement over the
-C<status_msg> we employed in Part 4 of the tutorial, the
+Although the a use of flash above works well, the
C<status_msg || c.flash.status_msg> statement is a little ugly. A nice
alternative is to use the C<flash_to_stash> feature that automatically
copies the content of flash to stash. This makes your controller
and template code work regardless of where it was directly access, a
-forward, or a redirect. To enable C<flash_to_stash>, you can either
+forward, or a redirect. To enable C<flash_to_stash>, you can either
set the value in C<lib/MyApp.pm> by changing the default
C<__PACKAGE__-E<gt>config> setting to something like:
- =head1 NAME
+=head1 NAME
Catalyst::Manual::Tutorial::BasicCRUD - Catalyst Tutorial - Part 4: Basic CRUD
http://localhost:3000/books/url_create/TCPIP_Illustrated_Vol-2/5/4
-Your browser should display "Added book 'TCPIP_Illustrated_Vol-2' by
-'Stevens' with a rating of 5." along with a dump of the new book model
-object. You should also see the following DBIC debug messages displayed
-in the development server log messages if you have DBIC_TRACE set:
+Your browser should display "Added book 'TCPIP_Illustrated_Vol-2' by
+'Stevens' with a rating of 5." along with a dump of the new book model
+object as it was returned by DBIC. You should also see the following
+DBIC debug messages displayed in the development server log messages
+if you have DBIC_TRACE set:
INSERT INTO books (rating, title) VALUES (?, ?): `5', `TCPIP_Illustrated_Vol-2'
INSERT INTO book_authors (author_id, book_id) VALUES (?, ?): `4', `6'
C<:Local> attribute), you will notice that it produced output similar
to the following:
- [debug] Loaded Path actions:
- .-------------------------------------+--------------------------------------.
- | Path | Private |
- +-------------------------------------+--------------------------------------+
- | / | /default |
- | / | /index |
- | /books | /books/index |
- | /books/list | /books/list |
- | /books/url_create | /books/url_create |
- '-------------------------------------+--------------------------------------'
+ [debug] Loaded Path actions:
+ .-------------------------------------+--------------------------------------.
+ | Path | Private |
+ +-------------------------------------+--------------------------------------+
+ | / | /default |
+ | / | /index |
+ | /books | /books/index |
+ | /books/list | /books/list |
+ | /books/url_create | /books/url_create |
+ '-------------------------------------+--------------------------------------'
Now start the development server with our basic chained method in
place and the startup debug output should change to something along
the lines of the following:
- [debug] Loaded Path actions:
- .-------------------------------------+--------------------------------------.
- | Path | Private |
- +-------------------------------------+--------------------------------------+
- | / | /default |
- | / | /index |
- | /books | /books/index |
- | /books/list | /books/list |
- '-------------------------------------+--------------------------------------'
-
- [debug] Loaded Chained actions:
- .-------------------------------------+--------------------------------------.
- | Path Spec | Private |
- +-------------------------------------+--------------------------------------+
- | /books/url_create/*/*/* | /books/url_create |
- '-------------------------------------+--------------------------------------'
+ [debug] Loaded Path actions:
+ .-------------------------------------+--------------------------------------.
+ | Path | Private |
+ +-------------------------------------+--------------------------------------+
+ | / | /default |
+ | / | /index |
+ | /books | /books/index |
+ | /books/list | /books/list |
+ '-------------------------------------+--------------------------------------'
+
+ [debug] Loaded Chained actions:
+ .-------------------------------------+--------------------------------------.
+ | Path Spec | Private |
+ +-------------------------------------+--------------------------------------+
+ | /books/url_create/*/*/* | /books/url_create |
+ '-------------------------------------+--------------------------------------'
C<url_create> has disappeared form the "Loaded Path actions" section
but it now shows up under the newly created "Loaded Chained actions"
-section. And, the "/*/*/*" portion clearly shows that we have
-specified that 3 arguments are required.
+section. And, the "/*/*/*" portion clearly shows our requirement for
+three arguments.
As with our non-chained version of C<url_create>, use your browser to
enter the following URL:
- http://localhost:3000/books/url_create/TCPIP_Illustrated_Vol-2/5/4
+ http://localhost:3000/books/url_create/TCPIP_Illustrated_Vol-2/5/4
You should see the same "Added book 'TCPIP_Illustrated_Vol-2' by
'Stevens' with a rating of 5." along with a dump of the new book model
C<lib/MyApp/Controller/Books.pm> in your editor and add the following
method:
- =head2 base
-
- Can place common logic to start chained dispatch here
-
- =cut
-
- sub base :Chained('/') :PathPart('books') :CaptureArgs(0) {
- my ($self, $c) = @_;
-
- # Store the resultset in stash so it's available for other methods
- $c->stash->{resultset} = $c->model('DB::Books');
-
- # Print a message to the debug log
- $c->log->debug('*** INSIDE BASE METHOD ***');
- }
-
-Here we print a log message and store the resultset in
+ =head2 base
+
+ Can place common logic to start chained dispatch here
+
+ =cut
+
+ sub base :Chained('/') :PathPart('books') :CaptureArgs(0) {
+ my ($self, $c) = @_;
+
+ # Store the resultset in stash so it's available for other methods
+ $c->stash->{resultset} = $c->model('DB::Books');
+
+ # Print a message to the debug log
+ $c->log->debug('*** INSIDE BASE METHOD ***');
+ }
+
+Here we print a log message and store the DBIC resultset in
C<$c-E<gt>stash-E<gt>{resultset}> so that it's automatically available
for other actions that chain off C<base>. If your controller always
needs a book ID as it's first argument, you could have the base method
capture that argument (with C<:CaptureArgs(1)>) and use it to pull the
-book object with that ID from the database and leave it in the stash for
+book object with C<-E<gt>find($id)> and leave it in the stash for
later parts of your chains to then act upon. Because we have several
actions that don't need to retrieve a book (such as the C<url_create>
we are working with now), we will instead add that functionality
sub url_create :Chained('base') :PathPart('url_create') :Args(3) {
-Next, let's try out our refactored chain. Restart the development
-server and notice that our "Loaded Chained actions" section has
-changed slightly:
-
- [debug] Loaded Chained actions:
- .-------------------------------------+--------------------------------------.
- | Path Spec | Private |
- +-------------------------------------+--------------------------------------+
- | /books/url_create/*/*/* | /books/base (0) |
- | | => /books/url_create |
- '-------------------------------------+--------------------------------------'
+Next, try out the refactored chain by restarting the development
+server. Notice that our "Loaded Chained actions" section has changed
+slightly:
+
+ [debug] Loaded Chained actions:
+ .-------------------------------------+--------------------------------------.
+ | Path Spec | Private |
+ +-------------------------------------+--------------------------------------+
+ | /books/url_create/*/*/* | /books/base (0) |
+ | | => /books/url_create |
+ '-------------------------------------+--------------------------------------'
The "Path Spec" is the same, but now it maps to two Private actions as
we would expect.
Once again, enter the following URL into your browser:
- http://localhost:3000/books/url_create/TCPIP_Illustrated_Vol-2/5/4
+ http://localhost:3000/books/url_create/TCPIP_Illustrated_Vol-2/5/4
The same "Added book 'TCPIP_Illustrated_Vol-2' by 'Stevens' with a
-rating of 5." and dump of the new book object should appear. Also
-notice the extra debug message in the development server output from
-the C<base> method. Click the "Return to list" link, you should find
-that there are now eight books shown.
+rating of 5" message and dump of the new book object should appear.
+Also notice the extra debug message in the development server output
+from the C<base> method. Click the "Return to list" link, you should
+find that there are now eight books shown.
=head1 MANUALLY BUILDING A CREATE FORM
Notice that the server startup log reflects the two new chained
methods that we added:
- [debug] Loaded Chained actions:
- .-------------------------------------+--------------------------------------.
- | Path Spec | Private |
- +-------------------------------------+--------------------------------------+
- | /books/form_create | /books/base (0) |
- | | => /books/form_create |
- | /books/form_create_do | /books/base (0) |
- | | => /books/form_create_do |
- | /books/url_create/*/*/* | /books/base (0) |
- | | => /books/url_create |
- '-------------------------------------+--------------------------------------'
+ [debug] Loaded Chained actions:
+ .-------------------------------------+--------------------------------------.
+ | Path Spec | Private |
+ +-------------------------------------+--------------------------------------+
+ | /books/form_create | /books/base (0) |
+ | | => /books/form_create |
+ | /books/form_create_do | /books/base (0) |
+ | | => /books/form_create_do |
+ | /books/url_create/*/*/* | /books/base (0) |
+ | | => /books/url_create |
+ '-------------------------------------+--------------------------------------'
Point your browser to L<http://localhost:3000/books/form_create> and
enter "TCP/IP Illustrated, Vol 3" for the title, a rating of 5, and an
=item *
If you are referring to a method in a different controller, you need
-to include that as an argument to C<controller()>, as in
+to include that controller's name as an argument to C<controller()>, as in
C<$c-E<gt>controller('_controller_name_')-E<gt>action_for('_method_name_')>.
=back
-B<Note:> You should use more than just a simple link with your
-applications. Consider using some sort of of confirmation page
+B<Note:> In general, you should use more than just a simple link with
+your applications. Consider using some sort of of confirmation page
(typically with unique actions in your controller for both the
confirmation and the actual delete operation). Also, you should try
to use an HTTP POST operation (versus the GET used here) for
=head2 Add a Common Method to Retrieve a Book for the Chain
-As mentioned earlier, since we have a mixture of actions that operate on
-a single book ID and others that do no, we should not have C<base>
+As mentioned earlier, since we have a mixture of actions that operate
+on a single book ID and others that do no, we should not have C<base>
capture the book ID, find the corresponding book in the database and
save it in the stash for later links in the chain. However, just
-because that logic does not belong in C<base> doesn't mean that we can't
-create another location to centralize that logic. In our case, we will
-create a method called C<object> that will store the specific book in
-the stash. Chains that always operate on a single existing book can
-chain off this method, but methods such as C<url_create> that don't
-operate on an existing book can chain directly off base.
+because that logic does not belong in C<base> doesn't mean that we
+can't create another location to centralize the book lookup code. In
+our case, we will create a method called C<object> that will store the
+specific book in the stash. Chains that always operate on a single
+existing book can chain off this method, but methods such as
+C<url_create> that don't operate on an existing book can chain
+directly off base.
To add the C<object> method, edit C<lib/MyApp/Controller/Books.pm>
and add the following code:
=cut
sub object :Chained('base') :PathPart('id') :CaptureArgs(1) {
+ # $id = primary key of book to delete
my ($self, $c, $id) = @_;
# Find the book object and store it in the stash
$c->stash({object => $c->stash->{resultset}->find($id),
another_thing => 1});
-Either format works, but the C<$c-E<gt>stash(name => value);>
+Either format works, but the C<$c-E<gt>stash(name =E<gt> value);>
style is growing in popularity -- you may which to use it all
the time (even when you are only setting a single value).
=cut
sub delete :Chained('object') :PathPart('delete') :Args(0) {
- # $id = primary key of book to delete
my ($self, $c) = @_;
# Use the book object saved by 'object' and delete it along
This method first deletes the book object saved by the C<object> method.
However, it also removes the corresponding entry from the
-C<book_authors> table. Note that C<delete> will cascade to also delete
-the related join table entries in C<book_authors>.
+C<book_authors> table with a cascading delete.
Then, rather than forwarding to a "delete done" page as we did with the
earlier create example, it simply sets the C<status_msg> to display a
The C<delete> method now appears in the "Loaded Chained actions" section
of the startup debug output:
- [debug] Loaded Chained actions:
+ [debug] Loaded Chained actions:
.-------------------------------------+--------------------------------------.
| Path Spec | Private |
+-------------------------------------+--------------------------------------+
http://localhost:3000/books/delete/6
-What if the user were to press reload with this URL still active? In
-this case the redundant delete is harmless, but in other cases this
-could clearly be extremely dangerous.
+What if the user were to press reload with this URL still active? In
+this case the redundant delete is harmless (although it does generate
+an exception screen, it doesn't perform any undesirable actions on the
+application or database), but in other cases this could clearly be
+extremely dangerous.
We can improve the logic by converting to a redirect. Unlike
C<$c-E<gt>forward('list'))> or C<$c-E<gt>detach('list'))> that perform
=cut
sub delete :Chained('object') :PathPart('delete') :Args(0) {
- # $id = primary key of book to delete
- my ($self, $c, $id) = @_;
+ my ($self, $c) = @_;
# Use the book object saved by 'object' and delete it along
# with related 'book_authors' entries
# Redirect the user back to the list page. Note the use
# of $self->action_for as earlier in this section (BasicCRUD)
- $c->response->redirect($c->uri_for($self->action_for('list'));
+ $c->response->redirect($c->uri_for($self->action_for('list')));
}
=cut
sub delete :Chained('object') :PathPart('delete') :Args(0) {
- # $id = primary key of book to delete
- my ($self, $c, $id) = @_;
+ my ($self, $c) = @_;
# Use the book object saved by 'object' and delete it along
# with related 'book_authors' entries
# in t/controller_Books.t at line 8.
# Looks like you failed 1 test of 3.
-B<Note:> Depending on the versions of various modules you have
-installed, you might get some C<used only once> warnings -- you can
-ignore these. If you are following along in Ubuntu 8.10, you can
-prevent them by adding C<no warnings;> above line 49 in
-C</usr/lib/perl5/Template/Base.pm> to match the following:
-
- ...
- { no strict qw( refs );
- no warnings;
- $argnames = \@{"$class\::BASEARGS"} || [ ];
- }
- ...
-
The redirection used by the Authentication plugins will cause several
failures in the default tests. You can fix this by making the following
changes:
ok( request('/login')->is_success, 'Request should succeed' );
-2) Change the C<request('/logout')-E<gt>is_success> to
-C<request('/logout')-E<gt>is_redirect> in C<t/controller_Logout.t>.
+2) Change the "C<request('/logout')-E<gt>is_success>" to
+"C<request('/logout')-E<gt>is_redirect>" in C<t/controller_Logout.t>.
-3) Change the C<request('/books')-E<gt>is_success> to
-C<request('/books')-E<gt>is_redirect> in C<t/controller_Books.t>.
+3) Change the "C<request('/books')-E<gt>is_success>" to
+"C<request('/books')-E<gt>is_redirect>" in C<t/controller_Books.t>.
-4) Add C<use MyApp;> to the top of C<t/view_TT.t>.
+4) Add "C<use MyApp;>" to the top of C<t/view_TT.t>.
As you can see in the C<prove> command line above, the C<--lib> option
is used to set the location of the Catalyst C<lib> directory. With this
$ CATALYST_DEBUG=0 prove --lib lib t
+B<Note:> Depending on the versions of various modules you have
+installed, you might get some C<used only once> warnings -- you can
+ignore these. If you are following along in Ubuntu 8.10, you can
+prevent them by adding C<no warnings;> above line 49 in
+C</usr/lib/perl5/Template/Base.pm> to match the following:
+
+ ...
+ { no strict qw( refs );
+ no warnings;
+ $argnames = \@{"$class\::BASEARGS"} || [ ];
+ }
+ ...
+
During the C<t/02pod> and C<t/03podcoverage> tests, you might notice the
C<all skipped: set TEST_POD to enable this test> warning message. To
execute the Pod-related tests, add C<TEST_POD=1> to the C<prove>
$_->content_contains("Book List", "Check for book list title") for $ua1, $ua2;
# Make sure the appropriate logout buttons are displayed
- $_->content_contains("/logout\">Logout</a>",
+ $_->content_contains("/logout\">User Logout</a>",
"Both users should have a 'User Logout'") for $ua1, $ua2;
$ua1->content_contains("/books/form_create\">Create</a>",
"Only 'test01' should have a create link");
This will cause the full HTML returned by the request to be displayed.
+Another approach to see the full HTML content at the failure point in
+a series of tests would be to insert a "C<$DB::single=1;> right above
+the location of the failure and run the test under the perl debugger
+(with C<-d>) as shown above. Then you can use the debugger to explore
+the state of the application right before or after the failure.
+
=head1 SUPPORTING BOTH PRODUCTION AND TEST DATABASES
projects / catagits/Catalyst-Manual.git / commitdiff