diff options
| author | Xavier Noria <fxn@hashref.com> | 2010-04-06 15:38:05 -0700 |
|---|---|---|
| committer | Xavier Noria <fxn@hashref.com> | 2010-04-06 15:38:05 -0700 |
| commit | 4c4fd1a60ff1c060e76e9ee540074756510f53ea (patch) | |
| tree | 77da1c66c127e36c8b00825b676d9267a9ef4cd6 /actionpack/lib/action_controller/metal | |
| parent | 03cb74b9461293b96ae0add8ff5efda132dabba0 (diff) | |
| parent | af130575249571464ec984efa84fcea1267e8cf8 (diff) | |
| download | rails-4c4fd1a60ff1c060e76e9ee540074756510f53ea.tar.gz rails-4c4fd1a60ff1c060e76e9ee540074756510f53ea.tar.bz2 rails-4c4fd1a60ff1c060e76e9ee540074756510f53ea.zip | |
Merge commit 'rails/master'
Diffstat (limited to 'actionpack/lib/action_controller/metal')
| -rw-r--r-- | actionpack/lib/action_controller/metal/cookies.rb | 3 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 17 |
2 files changed, 13 insertions, 7 deletions
diff --git a/actionpack/lib/action_controller/metal/cookies.rb b/actionpack/lib/action_controller/metal/cookies.rb index 4aaa705203..d787f014cd 100644 --- a/actionpack/lib/action_controller/metal/cookies.rb +++ b/actionpack/lib/action_controller/metal/cookies.rb @@ -10,8 +10,7 @@ module ActionController #:nodoc: private def cookies - raise "You must set config.cookie_secret in your app's config" if config.secret.blank? - request.cookie_jar(:signing_secret => config.secret) + request.cookie_jar end end end diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 424828f7e8..6bd6c15990 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -159,7 +159,7 @@ module ActionController # Authenticate with HTTP Digest, returns true or false def authenticate_with_http_digest(realm = "Application", &password_procedure) - HttpAuthentication::Digest.authenticate(config.secret, request, realm, &password_procedure) + HttpAuthentication::Digest.authenticate(request, realm, &password_procedure) end # Render output including the HTTP Digest authentication header @@ -169,14 +169,15 @@ module ActionController end # Returns false on a valid response, true otherwise - def authenticate(secret_key, request, realm, &password_procedure) - request.authorization && validate_digest_response(secret_key, request, realm, &password_procedure) + def authenticate(request, realm, &password_procedure) + request.authorization && validate_digest_response(request, realm, &password_procedure) end # Returns false unless the request credentials response value matches the expected value. # First try the password as a ha1 digest password. If this fails, then try it as a plain # text password. - def validate_digest_response(secret_key, request, realm, &password_procedure) + def validate_digest_response(request, realm, &password_procedure) + secret_key = secret_token(request) credentials = decode_credentials_header(request) valid_nonce = validate_nonce(secret_key, request, credentials[:nonce]) @@ -225,7 +226,7 @@ module ActionController end def authentication_header(controller, realm) - secret_key = controller.config.secret + secret_key = secret_token(controller.request) nonce = self.nonce(secret_key) opaque = opaque(secret_key) controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}") @@ -238,6 +239,12 @@ module ActionController controller.status = 401 end + def secret_token(request) + secret = request.env["action_dispatch.secret_token"] + raise "You must set config.secret_token in your app's config" if secret.blank? + secret + end + # Uses an MD5 digest based on time to generate a value to be used only once. # # A server-specified data string which should be uniquely generated each time a 401 response is made. |