projects / catagits/Catalyst-Runtime.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | history | HEAD
Remove comment about code not being in subversion yet.
[catagits/Catalyst-Runtime.git] / lib / Catalyst / Manual / Tutorial / Authentication.pod
CommitLineData
4d583dd8 1=head1 NAME
2
64ccd8a8 3Catalyst::Manual::Tutorial::Authentication - Catalyst Tutorial - Part 4: Authentication
4d583dd8 4
5
4d583dd8 6=head1 OVERVIEW
7
8This is B<Part 4 of 9> for the Catalyst tutorial.
9
64ccd8a8 10L<Tutorial Overview|Catalyst::Manual::Tutorial>
4d583dd8 11
12=over 4
13
14=item 1
15
16L<Introduction|Catalyst::Manual::Tutorial::Intro>
17
18=item 2
19
20L<Catalyst Basics|Catalyst::Manual::Tutorial::CatalystBasics>
21
22=item 3
23
64ccd8a8 24L<Basic CRUD|Catalyst::Manual::Tutorial_BasicCRUD>
4d583dd8 25
26=item 4
27
28B<Authentication>
29
30=item 5
31
32L<Authorization|Catalyst::Manual::Tutorial::Authorization>
33
34=item 6
35
36L<Debugging|Catalyst::Manual::Tutorial::Debugging>
37
38=item 7
39
40L<Testing|Catalyst::Manual::Tutorial::Testing>
41
42=item 8
43
44L<AdvancedCRUD|Catalyst::Manual::Tutorial::AdvancedCRUD>
45
46=item 9
47
71dedf57 48L<Appendices|Catalyst::Manual::Tutorial::Appendicies>
4d583dd8 49
50=back
51
52
4d583dd8 53=head1 DESCRIPTION
54
64ccd8a8 55Now that we finally have a simple yet functional application, we can
71dedf57 56focus on providing authentication (with authorization coming next in
57Part 5).
4d583dd8 58
64ccd8a8 59This part of the tutorial is divided into two main sections: 1) basic,
60cleartext authentication and 2) hash-based authentication.
4d583dd8 61
64ccd8a8 62B<TIP>: Note that all of the code for this part of the tutorial can be
63pulled from the Catalyst Subversion repository in one step with the
64following command:
4d583dd8 65
d645910d 66 svn checkout http://dev.catalyst.perl.org/repos/Catalyst/trunk/examples/Tutorial@4612 .
4d583dd8 67
68
4d583dd8 69=head1 BASIC AUTHENTICATION
70
71dedf57 71This section explores how to add authentication logic to a Catalyst
72application.
4d583dd8 73
a63e6e67 74
4d583dd8 75=head2 Add Users and Roles to the Database
76
71dedf57 77First, we add both user and role information to the database (we will
78add the role information here although it will not be used until the
64ccd8a8 79authorization section, Part 5). Create a new SQL script file by opening
80C<myapp02.sql> in your editor and insert:
4d583dd8 81
82 --
83 -- Add users and roles tables, along with a many-to-many join table
84 --
85 CREATE TABLE users (
86 id INTEGER PRIMARY KEY,
87 username TEXT,
88 password TEXT,
89 email_address TEXT,
90 first_name TEXT,
91 last_name TEXT,
92 active INTEGER
93 );
94 CREATE TABLE roles (
95 id INTEGER PRIMARY KEY,
96 role TEXT
97 );
98 CREATE TABLE user_roles (
99 user_id INTEGER,
100 role_id INTEGER,
101 PRIMARY KEY (user_id, role_id)
102 );
103 --
104 -- Load up some initial test data
105 --
106 INSERT INTO users VALUES (1, 'test01', 'mypass', 't01@na.com', 'Joe', 'Blow', 1);
107 INSERT INTO users VALUES (2, 'test02', 'mypass', 't02@na.com', 'Jane', 'Doe', 1);
108 INSERT INTO users VALUES (3, 'test03', 'mypass', 't03@na.com', 'No', 'Go', 0);
109 INSERT INTO roles VALUES (1, 'user');
110 INSERT INTO roles VALUES (2, 'admin');
111 INSERT INTO user_roles VALUES (1, 1);
112 INSERT INTO user_roles VALUES (1, 2);
113 INSERT INTO user_roles VALUES (2, 1);
114 INSERT INTO user_roles VALUES (3, 1);
115
116Then load this into the C<myapp.db> database with the following command:
117
118 $ sqlite3 myapp.db < myapp02.sql
119
120
71dedf57 121=head2 Add User and Role Information to DBIC Schema
4d583dd8 122
64ccd8a8 123This step adds DBIC-based classes for the user-related database tables
71dedf57 124(the role information will not be used until Part 5):
4d583dd8 125
64ccd8a8 126Edit C<lib/MyAppDB.pm> and update the contents to match (only the
127C<MyAppDB =E<gt> [qw/Book BookAuthor Author User UserRole Role/]> line
128has changed):
4d583dd8 129
130 package MyAppDB;
131
132 =head1 NAME
133
134 MyAppDB -- DBIC Schema Class
135
136 =cut
137
138 # Our schema needs to inherit from 'DBIx::Class::Schema'
139 use base qw/DBIx::Class::Schema/;
140
141 # Need to load the DB Model classes here.
142 # You can use this syntax if you want:
143 # __PACKAGE__->load_classes(qw/Book BookAuthor Author User UserRole Role/);
144 # Also, if you simply want to load all of the classes in a directory
145 # of the same name as your schema class (as we do here) you can use:
146 # __PACKAGE__->load_classes(qw//);
147 # But the variation below is more flexible in that it can be used to
148 # load from multiple namespaces.
149 __PACKAGE__->load_classes({
150 MyAppDB => [qw/Book BookAuthor Author User UserRole Role/]
151 });
152
153 1;
154
155
156=head2 Create New "Result Source Objects"
157
158Create the following three files with the content shown below.
159
160C<lib/MyAppDB/User.pm>:
161
162 package MyAppDB::User;
163
164 use base qw/DBIx::Class/;
165
166 # Load required DBIC stuff
167 __PACKAGE__->load_components(qw/PK::Auto Core/);
168 # Set the table name
169 __PACKAGE__->table('users');
170 # Set columns in table
171 __PACKAGE__->add_columns(qw/id username password email_address first_name last_name/);
172 # Set the primary key for the table
173 __PACKAGE__->set_primary_key('id');
174
175 #
176 # Set relationships:
177 #
178
179 # has_many():
180 # args:
181 # 1) Name of relationship, DBIC will create accessor with this name
182 # 2) Name of the model class referenced by this relationship
183 # 3) Column name in *foreign* table
184 __PACKAGE__->has_many(map_user_role => 'MyAppDB::UserRole', 'user_id');
185
186
187 =head1 NAME
188
189 MyAppDB::User - A model object representing a person with access to the system.
190
191 =head1 DESCRIPTION
192
193 This is an object that represents a row in the 'users' table of your application
194 database. It uses DBIx::Class (aka, DBIC) to do ORM.
195
196 For Catalyst, this is designed to be used through MyApp::Model::MyAppDB.
197 Offline utilities may wish to use this class directly.
198
199 =cut
200
201 1;
202
203
204C<lib/MyAppDB/Role.pm>:
205
206 package MyAppDB::Role;
207
208 use base qw/DBIx::Class/;
209
210 # Load required DBIC stuff
211 __PACKAGE__->load_components(qw/PK::Auto Core/);
212 # Set the table name
213 __PACKAGE__->table('roles');
214 # Set columns in table
215 __PACKAGE__->add_columns(qw/id role/);
216 # Set the primary key for the table
217 __PACKAGE__->set_primary_key('id');
218
219 #
220 # Set relationships:
221 #
222
223 # has_many():
224 # args:
225 # 1) Name of relationship, DBIC will create accessor with this name
226 # 2) Name of the model class referenced by this relationship
227 # 3) Column name in *foreign* table
228 __PACKAGE__->has_many(map_user_role => 'MyAppDB::UserRole', 'role_id');
229
230
231 =head1 NAME
232
233 MyAppDB::Role - A model object representing a class of access permissions to
234 the system.
235
236 =head1 DESCRIPTION
237
238 This is an object that represents a row in the 'roles' table of your
239 application database. It uses DBIx::Class (aka, DBIC) to do ORM.
240
241 For Catalyst, this is designed to be used through MyApp::Model::MyAppDB.
242 "Offline" utilities may wish to use this class directly.
243
244 =cut
245
246 1;
247
248
249C<lib/MyAppDB/UserRole.pm>:
250
251 package MyAppDB::UserRole;
252
253 use base qw/DBIx::Class/;
254
255 # Load required DBIC stuff
256 __PACKAGE__->load_components(qw/PK::Auto Core/);
257 # Set the table name
258 __PACKAGE__->table('user_roles');
259 # Set columns in table
260 __PACKAGE__->add_columns(qw/user_id role_id/);
261 # Set the primary key for the table
262 __PACKAGE__->set_primary_key(qw/user_id role_id/);
263
264 #
265 # Set relationships:
266 #
267
268 # belongs_to():
269 # args:
270 # 1) Name of relationship, DBIC will create accessor with this name
271 # 2) Name of the model class referenced by this relationship
272 # 3) Column name in *this* table
273 __PACKAGE__->belongs_to(user => 'MyAppDB::User', 'user_id');
274
275 # belongs_to():
276 # args:
277 # 1) Name of relationship, DBIC will create accessor with this name
278 # 2) Name of the model class referenced by this relationship
279 # 3) Column name in *this* table
280 __PACKAGE__->belongs_to(role => 'MyAppDB::Role', 'role_id');
281
282
283 =head1 NAME
284
285 MyAppDB::UserRole - A model object representing the JOIN between Users and Roles.
286
287 =head1 DESCRIPTION
288
289 This is an object that represents a row in the 'user_roles' table of your application
290 database. It uses DBIx::Class (aka, DBIC) to do ORM.
291
292 You probably won't need to use this class directly -- it will be automatically
293 used by DBIC where joins are needed.
294
295 For Catalyst, this is designed to be used through MyApp::Model::MyAppDB.
296 Offline utilities may wish to use this class directly.
297
298 =cut
299
300 1;
301
302The code for these three result source classes is obviously very familiar to the C<Book>, C<Author>, and C<BookAuthor> classes created in Part 2.
303
304
305=head2 Sanity-Check Reload of Development Server
306
307We aren't ready to try out the authentication just yet; we only want to do a quick check to be sure our model loads correctly. Press C<Ctrl-C> to kill the previous server instance (if it's still running) and restart it:
308
309 $ script/myapp_server.pl
310
311Look for the three new model objects in the startup debug output:
312
313 ...
314 .-------------------------------------------------------------------+----------.
315 | Class | Type |
316 +-------------------------------------------------------------------+----------+
317 | MyApp::Controller::Books | instance |
318 | MyApp::Controller::Root | instance |
319 | MyApp::Model::MyAppDB | instance |
320 | MyApp::Model::MyAppDB::Author | class |
321 | MyApp::Model::MyAppDB::Book | class |
322 | MyApp::Model::MyAppDB::BookAuthor | class |
323 | MyApp::Model::MyAppDB::Role | class |
324 | MyApp::Model::MyAppDB::User | class |
325 | MyApp::Model::MyAppDB::UserRole | class |
326 | MyApp::View::TT | instance |
327 '-------------------------------------------------------------------+----------'
328 ...
329
330Again, notice that your "result source" classes have been "re-loaded" by Catalyst under C<MyApp::Model>.
331
332
333=head2 Include Authentication and Session Plugins
334
33aee7ed 335Edit C<lib/MyApp.pm> and update it as follows (everything below C<StackTrace> is new):
4d583dd8 336
337 use Catalyst qw/
338 -Debug
339 ConfigLoader
340 Static::Simple
341
4d583dd8 342 StackTrace
4d583dd8 343
344 Authentication
345 Authentication::Store::DBIC
346 Authentication::Credential::Password
347
348 Session
349 Session::Store::FastMmap
350 Session::State::Cookie
351 /;
352
64ccd8a8 353The three C<Authentication> plugins work together to support
354Authentication while the C<Session> plugins are required to maintain
355state across multiple HTTP requests. Note that there are several
a63e6e67 356options for L<Session::Store|Catalyst::Plugin::Session::Store>
357(L<Session::Store::FastMmap|Catalyst::Plugin::Session::Store::FastMmap>
64ccd8a8 358is generally a good choice if you are on Unix; try
359L<Cache::FileCache|Catalyst::Plugin::Cache::FileCache> if you are on
360Win32) -- consult L<Session::Store|Catalyst::Plugin::Session::Store> and
361its subclasses for additional information.
4d583dd8 362
a63e6e67 363
4d583dd8 364=head2 Configure Authentication
365
64ccd8a8 366Although C<__PACKAGE__-E<gt>config(name =E<gt> 'value');> is still
367supported, newer Catalyst applications tend to place all configuration
368information in C<myapp.yml> and automatically load this information into
a63e6e67 369C<MyApp-E<gt>config> using the
370L<ConfigLoader|Catalyst::Plugin::ConfigLoader> plugin. Here, we need
371to load several parameters that tell
372L<Catalyst::Plugin::Authentication|Catalyst::Plugin::Authentication>
373where to locate information in your database. To do this, edit the
374C<myapp.yml> YAML and update it to match:
4d583dd8 375
376 ---
377 name: MyApp
378 authentication:
379 dbic:
380 # Note this first definition would be the same as setting
381 # __PACKAGE__->config->{authentication}->{dbic}->{user_class} = 'MyAppDB::User'
382 # in lib/MyApp.pm (IOW, each hash key becomes a "name:" in the YAML file).
383 #
384 # This is the model object created by Catalyst::Model::DBIC from your
385 # schema (you created 'MyAppDB::User' but as the Catalyst startup
386 # debug messages show, it was loaded as 'MyApp::Model::MyAppDB::User').
a63e6e67 387 # NOTE: Omit 'MyApp::Model' to avoid a component lookup issue in Catalyst 5.66
4d583dd8 388 user_class: MyAppDB::User
389 # This is the name of the field in your 'users' table that contains the user's name
390 user_field: username
391 # This is the name of the field in your 'users' table that contains the password
392 password_field: password
393 # Other options can go here for hashed passwords
394
395Inline comments in the code above explain how each field is being used.
396
64ccd8a8 397B<TIP>: Although YAML uses a very simple and easy-to-ready format, it
398does require the use of a consistent level of indenting. Be sure you
399line up everything on a given 'level' with the same number of indents.
400Also, be sure not to use C<tab> characters (YAML does not support them
401because they are handled inconsistently across editors).
4d583dd8 402
a63e6e67 403
4d583dd8 404=head2 Add Login and Logout Controllers
405
406Use the Catalyst create script to create two stub controller files:
407
408 $ script/myapp_create.pl controller Login
409 $ script/myapp_create.pl controller Logout
410
64ccd8a8 411B<NOTE>: You could easily use a single controller here. For example,
412you could have a C<User> controller with both C<login> and C<logout>
413actions. Remember, Catalyst is designed to be very flexible, and leaves
414such matters up to you, the designer and programmer.
4d583dd8 415
be16bacd 416Then open C<lib/MyApp/Controller/Login.pm>, locate the C<sub index :
417Private> method (this was automatically inserted by the helpers when we
418created the Login controller above), and delete this line:
419
420 $c->response->body('Matched MyApp::Controller::Login in Login.');
421
422Then update it to match:
4d583dd8 423
7e5eb02c 424 =head2 base
4d583dd8 425
426 Login logic
427
428 =cut
429
be16bacd 430 sub index : Private {
4d583dd8 431 my ($self, $c) = @_;
432
433 # Get the username and password from form
434 my $username = $c->request->params->{username} || "";
435 my $password = $c->request->params->{password} || "";
436
437 # If the username and password values were found in form
438 if ($username && $password) {
439 # Attempt to log the user in
440 if ($c->login($username, $password)) {
441 # If successful, then let them use the application
442 $c->response->redirect($c->uri_for('/books/list'));
443 return;
444 } else {
445 # Set an error message
446 $c->stash->{error_msg} = "Bad username or password.";
447 }
448 }
449
450 # If either of above don't work out, send to the login page
451 $c->stash->{template} = 'login.tt2';
452 }
453
64ccd8a8 454This controller fetches the C<username> and C<password> values from the
455login form and attempts to perform a login. If successful, it redirects
456the user to the book list page. If the login fails, the user will stay
457at the login page but receive an error message. If the C<username> and
458C<password> values are not present in the form, the user will be taken
459to the empty login form.
4d583dd8 460
7e5eb02c 461Note that we could have used something like C<sub default :Private>;
462however, the use of C<default> actions is discouraged because it does
463not receive path args as with other actions. The recommended practice
464is to only use C<default> in C<MyApp::Controller::Root>.
465
be16bacd 466Another options would be to use something like
467C<sub base :Path :Args(0) {...}> (where the C<...> refers to the login
468code shown in C<sub index : Private> above). We are using C<sub base
469:Path :Args(0) {...}> here to specifically match the URL C</login>.
470C<Path> actions (aka, "literal actions") create URI matches relative to
471the namespace of the controller where they are defined. Although
472C<Path> supports arguments that allow relative and absolute paths to be
473defined, here we use an empty C<Path> definition to match on just the
474name of the controller itself. The method name, C<base>, is arbitrary.
475We make the match even more specific with the C<:Args(0)> action
476modifier -- this forces the match on I<only> C</login>, not
477C</login/somethingelse>.
478
4d583dd8 479Next, create a corresponding method in C<lib/MyApp/Controller/Logout.pm>:
480
7e5eb02c 481 =head2 base
4d583dd8 482
483 Logout logic
484
485 =cut
486
be16bacd 487 sub index : Private {
4d583dd8 488 my ($self, $c) = @_;
489
490 # Clear the user's state
491 $c->logout;
492
71dedf57 493 # Send the user to the starting point
4d583dd8 494 $c->response->redirect($c->uri_for('/'));
495 }
496
be16bacd 497As with the login controller, be sure to delete the
498C<$c->response->body('Matched MyApp::Controller::Logout in Logout.');>
499line of the C<sub index>.
7e5eb02c 500
4d583dd8 501
502=head2 Add a Login Form TT Template Page
503
504Create a login form by opening C<root/src/login.tt2> and inserting:
505
506 [% META title = 'Login' %]
507
508 <!-- Login form -->
509 <form method="post" action=" [% Catalyst.uri_for('/login') %] ">
510 <table>
511 <tr>
512 <td>Username:</td>
513 <td><input type="text" name="username" size="40" /></td>
514 </tr>
515 <tr>
516 <td>Password:</td>
517 <td><input type="password" name="password" size="40" /></td>
518 </tr>
519 <tr>
520 <td colspan="2"><input type="submit" name="submit" value="Submit" /></td>
521 </tr>
522 </table>
523 </form>
524
525
526=head2 Add Valid User Check
527
64ccd8a8 528We need something that provides enforcement for the authentication
529mechanism -- a I<global> mechanism that prevents users who have not
530passed authentication from reaching any pages except the login page.
531This is generally done via an C<auto> action/method (prior to Catalyst
532v5.66, this sort of thing would go in C<MyApp.pm>, but starting in
533v5.66, the preferred location is C<lib/MyApp/Controller/Root.pm>).
4d583dd8 534
71dedf57 535Edit the existing C<lib/MyApp/Controller/Root.pm> class file and insert
536the following method:
4d583dd8 537
538 =head2 auto
539
540 Check if there is a user and, if not, forward to login page
541
542 =cut
543
544 # Note that 'auto' runs after 'begin' but before your actions and that
545 # 'auto' "chain" (all from application path to most specific class are run)
546 sub auto : Private {
547 my ($self, $c) = @_;
548
549 # Allow unauthenticated users to reach the login page
550 if ($c->request->path =~ /login/) {
551 return 1;
552 }
553
554 # If a user doesn't exist, force login
555 if (!$c->user_exists) {
556 # Dump a log message to the development server debug output
557 $c->log->debug('***Root::auto User not found, forwarding to /login');
558 # Redirect the user to the login page
559 $c->response->redirect($c->uri_for('/login'));
560 # Return 0 to cancel 'post-auto' processing and prevent use of application
561 return 0;
562 }
563
564 # User found, so return 1 to continue with processing after this 'auto'
565 return 1;
566 }
567
64ccd8a8 568B<Note:> Catalyst provides a number of different types of actions, such
569as C<Local>, C<Regex>, and C<Private>. You should refer to
71dedf57 570L<Catalyst::Manual::Intro> for a more detailed explanation, but the
571following bullet points provide a quick introduction:
4d583dd8 572
573=over 4
574
575=item *
576
64ccd8a8 577The majority of application use C<Local> actions for items that respond
578to user requests and C<Private> actions for those that do not directly
579respond to user input.
4d583dd8 580
581=item *
582
64ccd8a8 583There are five types of C<Private> actions: C<begin>, C<end>,
584C<default>, C<index>, and C<auto>.
4d583dd8 585
586=item *
587
a63e6e67 588Unlike the other actions where only a single method is called for each
589request, I<every> auto action along the chain of namespaces will be
590called.
4d583dd8 591
592=back
593
64ccd8a8 594By placing the authentication enforcement code inside the C<auto> method
595of C<lib/MyApp/Controller/Root.pm> (or C<lib/MyApp.pm>), it will be
596called for I<every> request that is received by the entire application.
4d583dd8 597
a63e6e67 598
4d583dd8 599=head2 Displaying Content Only to Authenticated Users
600
64ccd8a8 601Let's say you want to provide some information on the login page that
602changes depending on whether the user has authenticated yet. To do
603this, open C<root/src/login.tt2> in your editor and add the following
604lines to the bottom of the file:
4d583dd8 605
606 <p>
607 [%
608 # This code illustrates how certain parts of the TT
609 # template will only be shown to users who have logged in
610 %]
611 [% IF Catalyst.user %]
612 Please Note: You are already logged in as '[% Catalyst.user.username %]'.
613 You can <a href="[% Catalyst.uri_for('/logout') %]">logout</a> here.
614 [% ELSE %]
615 You need to log in to use this application.
616 [% END %]
617 [%#
618 Note that this whole block is a comment because the "#" appears
619 immediate after the "[%" (with no spaces in between). Although it
620 can be a handy way to temporarily "comment out" a whole block of
621 TT code, it's probably a little too subtle for use in "normal"
622 comments.
623 %]
624
64ccd8a8 625Although most of the code is comments, the middle few lines provide a
626"you are already logged in" reminder if the user returns to the login
627page after they have already authenticated. For users who have not yet
628authenticated, a "You need to log in..." message is displayed (note the
629use of an IF-THEN-ELSE construct in TT).
4d583dd8 630
631
632=head2 Try Out Authentication
633
64ccd8a8 634Press C<Ctrl-C> to kill the previous server instance (if it's still
635running) and restart it:
4d583dd8 636
637 $ script/myapp_server.pl
638
64ccd8a8 639B<IMPORTANT NOTE>: If you happen to be using Internet Explorer, you may
640need to use the command C<script/myapp_server.pl -k> to enable the
641keepalive feature in the development server. Otherwise, the HTTP
642redirect on successful login may not work correctly with IE (it seems to
643work without -k if you are running the web browser and development
644server on the same machine). If you are using browser a browser other
645than IE, it should work either way. If you want to make keepalive the
646default, you can edit C<script/myapp_server.pl> and change the
647initialization value for C<$keepalive> to C<1>. (You will need to do
648this every time you create a new Catalyst application or rebuild the
649C<myapp_server.pl> script.)
650
651Now trying going to L<http://localhost:3000/books/list> and you should
652be redirected to the login page, hitting Shift+Reload if necessary (the
653"You are already logged in" message should I<not> appear -- if it does,
71dedf57 654click the C<logout> button and try again). Note the C<***Root::auto User
655not found...> debug message in the development server output. Enter
656username C<test01> and password C<mypass>, and you should be taken to
657the Book List page.
4d583dd8 658
71dedf57 659Open C<root/src/books/list.tt2> and add the following lines to the
660bottom:
4d583dd8 661
662 <p>
663 <a href="[% Catalyst.uri_for('/login') %]">Login</a>
664 <a href="[% Catalyst.uri_for('form_create') %]">Create</a>
665 </p>
666
be16bacd 667Reload your browser and you should now see a "Login" and "Create" links
668at the bottom of the page (as mentioned earlier, you can update template
669files without reloading the development server). Click the first link
670to return to the login page. This time you I<should> see the "You are
671already logged in" message.
4d583dd8 672
64ccd8a8 673Finally, click the C<You can logout here> link on the C</login> page.
674You should stay at the login page, but the message should change to "You
675need to log in to use this application."
4d583dd8 676
677
4d583dd8 678=head1 USING PASSWORD HASHES
679
64ccd8a8 680In this section we increase the security of our system by converting
681from cleartext passwords to SHA-1 password hashes.
4d583dd8 682
64ccd8a8 683B<Note:> This section is optional. You can skip it and the rest of the
684tutorial will function normally.
4d583dd8 685
64ccd8a8 686Note that even with the techniques shown in this section, the browser
687still transmits the passwords in cleartext to your application. We are
688just avoiding the I<storage> of cleartext passwords in the database by
71dedf57 689using a SHA-1 hash. If you are concerned about cleartext passwords
690between the browser and your application, consider using SSL/TLS, made
a63e6e67 691easy with the Catalyst plugin
692L<Catalyst::Plugin:RequireSSL|Catalyst::Plugin:RequireSSL>.
693
4d583dd8 694
695=head2 Get a SHA-1 Hash for the Password
696
64ccd8a8 697Catalyst uses the C<Digest> module to support a variety of hashing
698algorithms. Here we will use SHA-1 (SHA = Secure Hash Algorithm).
699First, we should compute the SHA-1 hash for the "mypass" password we are
700using. The following command-line Perl script provides a "quick and
701dirty" way to do this:
4d583dd8 702
703 $ perl -MDigest::SHA -e 'print Digest::SHA::sha1_hex("mypass"), "\n"'
704 e727d1464ae12436e899a726da5b2f11d8381b26
705 $
706
cc548726 707B<Note:> You should probably modify this code for production use to
708not read the password from the command line. By having the script
709prompt for the cleartext password, it avoids having the password linger
710in forms such as your C<.bash_history> files (assuming you are using
711BASH as your shell). An example of such a script can be found in
712Appendix 3.
713
a63e6e67 714
4d583dd8 715=head2 Switch to SHA-1 Password Hashes in the Database
716
64ccd8a8 717Next, we need to change the C<password> column of our C<users> table to
718store this hash value vs. the existing cleartext password. Open
719C<myapp03.sql> in your editor and enter:
4d583dd8 720
721 --
722 -- Convert passwords to SHA-1 hashes
723 --
724 UPDATE users SET password = 'e727d1464ae12436e899a726da5b2f11d8381b26' WHERE id = 1;
725 UPDATE users SET password = 'e727d1464ae12436e899a726da5b2f11d8381b26' WHERE id = 2;
726 UPDATE users SET password = 'e727d1464ae12436e899a726da5b2f11d8381b26' WHERE id = 3;
727
728Then use the following command to update the SQLite database:
729
730 $ sqlite3 myapp.db < myapp03.sql
731
64ccd8a8 732B<Note:> We are using SHA-1 hashes here, but many other hashing
733algorithms are supported. See C<Digest> for more information.
4d583dd8 734
a63e6e67 735
64ccd8a8 736=head2 Enable SHA-1 Hash Passwords in
737C<Catalyst::Plugin::Authentication::Store::DBIC>
4d583dd8 738
64ccd8a8 739Edit C<myapp.yml> and update it to match (the C<password_type> and
740C<password_hash_type> are new, everything else is the same):
4d583dd8 741
742 ---
743 name: MyApp
744 authentication:
745 dbic:
746 # Note this first definition would be the same as setting
747 # __PACKAGE__->config->{authentication}->{dbic}->{user_class} = 'MyAppDB::User'
748 # in lib/MyApp.pm (IOW, each hash key becomes a "name:" in the YAML file).
749 #
750 # This is the model object created by Catalyst::Model::DBIC from your
751 # schema (you created 'MyAppDB::User' but as the Catalyst startup
752 # debug messages show, it was loaded as 'MyApp::Model::MyAppDB::User').
a63e6e67 753 # NOTE: Omit 'MyApp::Model' to avoid a component lookup issue in Catalyst 5.66
4d583dd8 754 user_class: MyAppDB::User
755 # This is the name of the field in your 'users' table that contains the user's name
756 user_field: username
757 # This is the name of the field in your 'users' table that contains the password
758 password_field: password
759 # Other options can go here for hashed passwords
760 # Enabled hashed passwords
761 password_type: hashed
762 # Use the SHA-1 hashing algorithm
763 password_hash_type: SHA-1
764
765
766=head2 Try Out the Hashed Passwords
767
64ccd8a8 768Press C<Ctrl-C> to kill the previous server instance (if it's still
769running) and restart it:
4d583dd8 770
771 $ script/myapp_server.pl
772
64ccd8a8 773You should now be able to go to L<http://localhost:3000/books/list> and
774login as before. When done, click the "Logout" link on the login page
775(or point your browser at L<http://localhost:3000/logout>).
4d583dd8 776
be16bacd 777B<Note:> If you receive the debug screen in your browser with a
778C<Can't call method "stash" on an undefined value...> error message,
779make sure that you are using v0.07 of
780L<Catalyst::Plugin::Authorization::ACL|Catalyst::Plugin::Authorization::ACL>.
781The following command can be a useful way to quickly dump the version number
782of this module on your system:
783
784 perl -MCatalyst::Plugin::Authorization::ACL -e 'print $Catalyst::Plugin::Authorization::ACL::VERSION, "\n";'
785
a63e6e67 786
4d583dd8 787=head1 AUTHOR
788
789Kennedy Clark, C<hkclark@gmail.com>
790
eed93301 791Please report any errors, issues or suggestions to the author. The
792most recent version of the Catlayst Tutorial can be found at
793L<http://dev.catalyst.perl.org/repos/Catalyst/trunk/Catalyst-Runtime/lib/Catalyst/Manual/Tutorial/>.
4d583dd8 794
a63e6e67 795Copyright 2006, Kennedy Clark, under Creative Commons License
796(L<http://creativecommons.org/licenses/by-nc-sa/2.5/>).
The Perl MVC Framework (catagits@git.shadowcat.co.uk:Catalyst-Runtime.git)