Fixed that HTTP authentication should work if the header is called REDIRECT_X_HTTP_AUTHORIZATION as well (closes #6754) [mislaw]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7091 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

1 files changed, 51 insertions, 43 deletions

diff --git a/actionpack/lib/action_controller/http_authentication.rb b/actionpack/lib/action_controller/http_authentication.rb
index fbc34d1f2e..78f41eb503 100644
--- a/actionpack/lib/action_controller/http_authentication.rb
+++ b/actionpack/lib/action_controller/http_authentication.rb
@@ -6,56 +6,56 @@ module ActionController
     # 
     # Simple Basic example:
     # 
-    # class PostsController < ApplicationController
-    #   USER_NAME, PASSWORD = "dhh", "secret"
-    # 
-    #   before_filter :authenticate, :except => [ :index ]
-    # 
-    #   def index
-    #     render :text => "Everyone can see me!"
-    #   end
-    # 
-    #   def edit
-    #     render :text => "I'm only accessible if you know the password"
-    #   end
-    # 
-    #   private
-    #     def authenticate
-    #       authenticate_or_request_with_http_basic do |user_name, password| 
-    #         user_name == USER_NAME && password == PASSWORD
-    #       end
+    #   class PostsController < ApplicationController
+    #     USER_NAME, PASSWORD = "dhh", "secret"
+    #   
+    #     before_filter :authenticate, :except => [ :index ]
+    #   
+    #     def index
+    #       render :text => "Everyone can see me!"
+    #     end
+    #   
+    #     def edit
+    #       render :text => "I'm only accessible if you know the password"
     #     end
-    # end
+    #   
+    #     private
+    #       def authenticate
+    #         authenticate_or_request_with_http_basic do |user_name, password| 
+    #           user_name == USER_NAME && password == PASSWORD
+    #         end
+    #       end
+    #   end
     # 
     # 
     # Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication, 
     # the regular HTML interface is protected by a session approach:
     # 
-    # class ApplicationController < ActionController::Base
-    #   before_filter :set_account, :authenticate
-    # 
-    #   protected
-    #     def set_account
-    #       @account = Account.find_by_url_name(request.subdomains.first)
-    #     end
-    # 
-    #     def authenticate
-    #       case request.format
-    #       when Mime::XML, Mime::ATOM
-    #         if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
-    #           @current_user = user
-    #         else
-    #           request_http_basic_authentication
-    #         end
-    #       else
-    #         if session_authenticated?
-    #           @current_user = @account.users.find(session[:authenticated][:user_id])
+    #   class ApplicationController < ActionController::Base
+    #     before_filter :set_account, :authenticate
+    #   
+    #     protected
+    #       def set_account
+    #         @account = Account.find_by_url_name(request.subdomains.first)
+    #       end
+    #   
+    #       def authenticate
+    #         case request.format
+    #         when Mime::XML, Mime::ATOM
+    #           if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
+    #             @current_user = user
+    #           else
+    #             request_http_basic_authentication
+    #           end
     #         else
-    #           redirect_to(login_url) and return false
+    #           if session_authenticated?
+    #             @current_user = @account.users.find(session[:authenticated][:user_id])
+    #           else
+    #             redirect_to(login_url) and return false
+    #           end
     #         end
     #       end
-    #     end
-    # end
+    #   end
     # 
     # 
     # In your integration tests, you can do something like this:
@@ -68,6 +68,13 @@ module ActionController
     # 
     #     assert_equal 200, status
     #   end
+    #  
+    #  
+    # On shared hosts, Apache sometimes doesn't pass authentication headers to
+    # FCGI instances. If your environment matches this description and you cannot
+    # authenticate, try this rule in public/.htaccess (replace the plain one):
+    # 
+    #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Basic
       extend self
 
@@ -100,11 +107,12 @@ module ActionController
       def authorization(request)
         request.env['HTTP_AUTHORIZATION']   ||
         request.env['X-HTTP_AUTHORIZATION'] ||
-        request.env['X_HTTP_AUTHORIZATION']
+        request.env['X_HTTP_AUTHORIZATION'] ||
+        request.env['REDIRECT_X_HTTP_AUTHORIZATION']
       end
     
       def decode_credentials(request)
-        Base64.decode64(authorization(request).split.last)
+        Base64.decode64(authorization(request).split.last || '')
       end
 
       def encode_credentials(user_name, password)