aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Heinemeier Hansson <david@loudthinking.com>2007-05-08 05:48:18 +0000
committerDavid Heinemeier Hansson <david@loudthinking.com>2007-05-08 05:48:18 +0000
commit20eb59ad8a9e97a5bbb68df1ba2f15914c26a358 (patch)
treeb8821fba747df8e787897101bafc5916b3df5d7a
parent5a9dc1231c337f20a53e22d01dcddf7953ec549d (diff)
downloadrails-20eb59ad8a9e97a5bbb68df1ba2f15914c26a358.tar.gz
rails-20eb59ad8a9e97a5bbb68df1ba2f15914c26a358.tar.bz2
rails-20eb59ad8a9e97a5bbb68df1ba2f15914c26a358.zip
Included the HttpAuthentication plugin as part of core (ActionController::HttpAuthentication::Basic) [DHH]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6699 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
-rw-r--r--actionpack/CHANGELOG2
-rwxr-xr-xactionpack/lib/action_controller.rb2
-rw-r--r--actionpack/lib/action_controller/http_authentication.rb121
-rw-r--r--actionpack/test/controller/http_authentication_test.rb42
4 files changed, 167 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 039ed8aa52..21df4be24a 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Included the HttpAuthentication plugin as part of core (ActionController::HttpAuthentication::Basic) [DHH]
+
* Modernize documentation for form helpers. [jeremymcanally]
* Add brief introduction to REST to the resources documentation. [fearoffish]
diff --git a/actionpack/lib/action_controller.rb b/actionpack/lib/action_controller.rb
index a0bdf4995c..96192809e5 100755
--- a/actionpack/lib/action_controller.rb
+++ b/actionpack/lib/action_controller.rb
@@ -53,6 +53,7 @@ require 'action_controller/caching'
require 'action_controller/verification'
require 'action_controller/streaming'
require 'action_controller/session_management'
+require 'action_controller/http_authentication'
require 'action_controller/components'
require 'action_controller/record_identifier'
require 'action_controller/macros/auto_complete'
@@ -76,6 +77,7 @@ ActionController::Base.class_eval do
include ActionController::Verification
include ActionController::Streaming
include ActionController::SessionManagement
+ include ActionController::HttpAuthentication::Basic::ControllerMethods
include ActionController::Components
include ActionController::RecordIdentifier
include ActionController::Macros::AutoComplete
diff --git a/actionpack/lib/action_controller/http_authentication.rb b/actionpack/lib/action_controller/http_authentication.rb
new file mode 100644
index 0000000000..387fa4e695
--- /dev/null
+++ b/actionpack/lib/action_controller/http_authentication.rb
@@ -0,0 +1,121 @@
+require 'base64'
+
+module ActionController
+ module HttpAuthentication
+ # Makes it dead easy to do HTTP Basic authentication.
+ #
+ # Simple Basic example:
+ #
+ # class PostsController < ApplicationController
+ # USER_NAME, PASSWORD = "dhh", "secret"
+ #
+ # before_filter :authenticate, :except => [ :index ]
+ #
+ # def index
+ # render :text => "Everyone can see me!"
+ # end
+ #
+ # def edit
+ # render :text => "I'm only accessible if you know the password"
+ # end
+ #
+ # private
+ # def authenticate
+ # authenticate_or_request_with_http_basic do |user_name, password|
+ # user_name == USER_NAME && password == PASSWORD
+ # end
+ # end
+ # end
+ #
+ #
+ # Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
+ # the regular HTML interface is protected by a session approach:
+ #
+ # class ApplicationController < ActionController::Base
+ # before_filter :set_account, :authenticate
+ #
+ # protected
+ # def set_account
+ # @account = Account.find_by_url_name(request.subdomains.first)
+ # end
+ #
+ # def authenticate
+ # case request.format
+ # when Mime::XML, Mime::ATOM
+ # if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
+ # @current_user = user
+ # else
+ # request_http_basic_authentication
+ # end
+ # else
+ # if session_authenticated?
+ # @current_user = @account.users.find(session[:authenticated][:user_id])
+ # else
+ # redirect_to(login_url) and return false
+ # end
+ # end
+ # end
+ # end
+ #
+ #
+ # In your integration tests, you can do something like this:
+ #
+ # def test_access_granted_from_xml
+ # get(
+ # "/notes/1.xml", nil,
+ # :authorization => ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
+ # )
+ #
+ # assert_equal 200, status
+ # end
+ module Basic
+ extend self
+
+ module ControllerMethods
+ def authenticate_or_request_with_http_basic(realm = "Application", &login_procedure)
+ authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm)
+ end
+
+ def authenticate_with_http_basic(&login_procedure)
+ HttpAuthentication::Basic.authenticate(self, &login_procedure)
+ end
+
+ def request_http_basic_authentication(realm = "Application")
+ HttpAuthentication::Basic.authentication_request(self, realm)
+ end
+ end
+
+ def authenticate(controller, &login_procedure)
+ if authorization(controller.request)
+ login_procedure.call(*user_name_and_password(controller.request))
+ else
+ false
+ end
+ end
+
+ def user_name_and_password(request)
+ decode_credentials(request).split(/:/, 2)
+ end
+
+ def authorization(request)
+ request.env['HTTP_AUTHORIZATION'] ||
+ request.env['X-HTTP_AUTHORIZATION'] ||
+ request.env['X_HTTP_AUTHORIZATION']
+ end
+
+ def decode_credentials(request)
+ Base64.decode64(authorization(request).split.last)
+ end
+
+ def encode_credentials(user_name, password)
+ "Basic #{Base64.encode64("#{user_name}:#{password}")}"
+ end
+
+ def authentication_request(controller, realm)
+ controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
+ controller.render :text => "HTTP Basic: Access denied.\n", :status => :unauthorized
+ return false
+ end
+ end
+ end
+end \ No newline at end of file
diff --git a/actionpack/test/controller/http_authentication_test.rb b/actionpack/test/controller/http_authentication_test.rb
new file mode 100644
index 0000000000..e08bc7b94b
--- /dev/null
+++ b/actionpack/test/controller/http_authentication_test.rb
@@ -0,0 +1,42 @@
+require File.dirname(__FILE__) + '/../abstract_unit'
+
+class HttpBasicAuthenticationTest < Test::Unit::TestCase
+ include ActionController::HttpAuthentication::Basic
+
+ def setup
+ @controller = Class.new do
+ attr_accessor :headers, :renders
+
+ def initialize
+ @headers, @renders = {}, []
+ end
+
+ def request
+ Class.new do
+ def env
+ { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret") }
+ end
+ end.new
+ end
+
+ def render(options)
+ self.renders << options
+ end
+ end.new
+ end
+
+ def test_successful_authentication
+ assert authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret" }
+ end
+
+
+ def test_failing_authentication
+ assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret!!" }
+ end
+
+ def test_authentication_request
+ authentication_request(@controller, "Megaglobalapp")
+ assert_equal 'Basic realm="Megaglobalapp"', @controller.headers["WWW-Authenticate"]
+ assert_equal :unauthorized, @controller.renders.first[:status]
+ end
+end