diff options
author | David Heinemeier Hansson <david@loudthinking.com> | 2007-05-08 05:48:18 +0000 |
---|---|---|
committer | David Heinemeier Hansson <david@loudthinking.com> | 2007-05-08 05:48:18 +0000 |
commit | 20eb59ad8a9e97a5bbb68df1ba2f15914c26a358 (patch) | |
tree | b8821fba747df8e787897101bafc5916b3df5d7a | |
parent | 5a9dc1231c337f20a53e22d01dcddf7953ec549d (diff) | |
download | rails-20eb59ad8a9e97a5bbb68df1ba2f15914c26a358.tar.gz rails-20eb59ad8a9e97a5bbb68df1ba2f15914c26a358.tar.bz2 rails-20eb59ad8a9e97a5bbb68df1ba2f15914c26a358.zip |
Included the HttpAuthentication plugin as part of core (ActionController::HttpAuthentication::Basic) [DHH]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6699 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
-rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
-rwxr-xr-x | actionpack/lib/action_controller.rb | 2 | ||||
-rw-r--r-- | actionpack/lib/action_controller/http_authentication.rb | 121 | ||||
-rw-r--r-- | actionpack/test/controller/http_authentication_test.rb | 42 |
4 files changed, 167 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 039ed8aa52..21df4be24a 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Included the HttpAuthentication plugin as part of core (ActionController::HttpAuthentication::Basic) [DHH] + * Modernize documentation for form helpers. [jeremymcanally] * Add brief introduction to REST to the resources documentation. [fearoffish] diff --git a/actionpack/lib/action_controller.rb b/actionpack/lib/action_controller.rb index a0bdf4995c..96192809e5 100755 --- a/actionpack/lib/action_controller.rb +++ b/actionpack/lib/action_controller.rb @@ -53,6 +53,7 @@ require 'action_controller/caching' require 'action_controller/verification' require 'action_controller/streaming' require 'action_controller/session_management' +require 'action_controller/http_authentication' require 'action_controller/components' require 'action_controller/record_identifier' require 'action_controller/macros/auto_complete' @@ -76,6 +77,7 @@ ActionController::Base.class_eval do include ActionController::Verification include ActionController::Streaming include ActionController::SessionManagement + include ActionController::HttpAuthentication::Basic::ControllerMethods include ActionController::Components include ActionController::RecordIdentifier include ActionController::Macros::AutoComplete diff --git a/actionpack/lib/action_controller/http_authentication.rb b/actionpack/lib/action_controller/http_authentication.rb new file mode 100644 index 0000000000..387fa4e695 --- /dev/null +++ b/actionpack/lib/action_controller/http_authentication.rb @@ -0,0 +1,121 @@ +require 'base64' + +module ActionController + module HttpAuthentication + # Makes it dead easy to do HTTP Basic authentication. + # + # Simple Basic example: + # + # class PostsController < ApplicationController + # USER_NAME, PASSWORD = "dhh", "secret" + # + # before_filter :authenticate, :except => [ :index ] + # + # def index + # render :text => "Everyone can see me!" + # end + # + # def edit + # render :text => "I'm only accessible if you know the password" + # end + # + # private + # def authenticate + # authenticate_or_request_with_http_basic do |user_name, password| + # user_name == USER_NAME && password == PASSWORD + # end + # end + # end + # + # + # Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication, + # the regular HTML interface is protected by a session approach: + # + # class ApplicationController < ActionController::Base + # before_filter :set_account, :authenticate + # + # protected + # def set_account + # @account = Account.find_by_url_name(request.subdomains.first) + # end + # + # def authenticate + # case request.format + # when Mime::XML, Mime::ATOM + # if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) } + # @current_user = user + # else + # request_http_basic_authentication + # end + # else + # if session_authenticated? + # @current_user = @account.users.find(session[:authenticated][:user_id]) + # else + # redirect_to(login_url) and return false + # end + # end + # end + # end + # + # + # In your integration tests, you can do something like this: + # + # def test_access_granted_from_xml + # get( + # "/notes/1.xml", nil, + # :authorization => ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password) + # ) + # + # assert_equal 200, status + # end + module Basic + extend self + + module ControllerMethods + def authenticate_or_request_with_http_basic(realm = "Application", &login_procedure) + authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm) + end + + def authenticate_with_http_basic(&login_procedure) + HttpAuthentication::Basic.authenticate(self, &login_procedure) + end + + def request_http_basic_authentication(realm = "Application") + HttpAuthentication::Basic.authentication_request(self, realm) + end + end + + def authenticate(controller, &login_procedure) + if authorization(controller.request) + login_procedure.call(*user_name_and_password(controller.request)) + else + false + end + end + + def user_name_and_password(request) + decode_credentials(request).split(/:/, 2) + end + + def authorization(request) + request.env['HTTP_AUTHORIZATION'] || + request.env['X-HTTP_AUTHORIZATION'] || + request.env['X_HTTP_AUTHORIZATION'] + end + + def decode_credentials(request) + Base64.decode64(authorization(request).split.last) + end + + def encode_credentials(user_name, password) + "Basic #{Base64.encode64("#{user_name}:#{password}")}" + end + + def authentication_request(controller, realm) + controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}") + controller.render :text => "HTTP Basic: Access denied.\n", :status => :unauthorized + return false + end + end + end +end
\ No newline at end of file diff --git a/actionpack/test/controller/http_authentication_test.rb b/actionpack/test/controller/http_authentication_test.rb new file mode 100644 index 0000000000..e08bc7b94b --- /dev/null +++ b/actionpack/test/controller/http_authentication_test.rb @@ -0,0 +1,42 @@ +require File.dirname(__FILE__) + '/../abstract_unit' + +class HttpBasicAuthenticationTest < Test::Unit::TestCase + include ActionController::HttpAuthentication::Basic + + def setup + @controller = Class.new do + attr_accessor :headers, :renders + + def initialize + @headers, @renders = {}, [] + end + + def request + Class.new do + def env + { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret") } + end + end.new + end + + def render(options) + self.renders << options + end + end.new + end + + def test_successful_authentication + assert authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret" } + end + + + def test_failing_authentication + assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret!!" } + end + + def test_authentication_request + authentication_request(@controller, "Megaglobalapp") + assert_equal 'Basic realm="Megaglobalapp"', @controller.headers["WWW-Authenticate"] + assert_equal :unauthorized, @controller.renders.first[:status] + end +end |