Changeset 7091
- Timestamp:
- 06/23/07 16:43:08 (1 year ago)
- Files:
-
- trunk/actionpack/CHANGELOG (modified) (1 diff)
- trunk/actionpack/lib/action_controller/http_authentication.rb (modified) (4 diffs)
- trunk/actionpack/test/controller/http_authentication_test.rb (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/actionpack/CHANGELOG
r7084 r7091 1 1 *SVN* 2 3 * Fixed that HTTP authentication should work if the header is called REDIRECT_X_HTTP_AUTHORIZATION as well #6754 [mislaw] 2 4 3 5 * Don't mistakenly interpret the request uri as the query string. #8731 [lifofifo, Jeremy Kemper] trunk/actionpack/lib/action_controller/http_authentication.rb
r6718 r7091 7 7 # Simple Basic example: 8 8 # 9 # class PostsController < ApplicationController 10 # USER_NAME, PASSWORD = "dhh", "secret" 11 # 12 # before_filter :authenticate, :except => [ :index ] 13 # 14 # def index 15 # render :text => "Everyone can see me!" 9 # class PostsController < ApplicationController 10 # USER_NAME, PASSWORD = "dhh", "secret" 11 # 12 # before_filter :authenticate, :except => [ :index ] 13 # 14 # def index 15 # render :text => "Everyone can see me!" 16 # end 17 # 18 # def edit 19 # render :text => "I'm only accessible if you know the password" 20 # end 21 # 22 # private 23 # def authenticate 24 # authenticate_or_request_with_http_basic do |user_name, password| 25 # user_name == USER_NAME && password == PASSWORD 26 # end 27 # end 16 28 # end 17 #18 # def edit19 # render :text => "I'm only accessible if you know the password"20 # end21 #22 # private23 # def authenticate24 # authenticate_or_request_with_http_basic do |user_name, password|25 # user_name == USER_NAME && password == PASSWORD26 # end27 # end28 # end29 29 # 30 30 # … … 32 32 # the regular HTML interface is protected by a session approach: 33 33 # 34 # class ApplicationController < ActionController::Base 35 # before_filter :set_account, :authenticate 36 # 37 # protected 38 # def set_account 39 # @account = Account.find_by_url_name(request.subdomains.first) 40 # end 41 # 42 # def authenticate 43 # case request.format 44 # when Mime::XML, Mime::ATOM 45 # if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) } 46 # @current_user = user 34 # class ApplicationController < ActionController::Base 35 # before_filter :set_account, :authenticate 36 # 37 # protected 38 # def set_account 39 # @account = Account.find_by_url_name(request.subdomains.first) 40 # end 41 # 42 # def authenticate 43 # case request.format 44 # when Mime::XML, Mime::ATOM 45 # if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) } 46 # @current_user = user 47 # else 48 # request_http_basic_authentication 49 # end 47 50 # else 48 # request_http_basic_authentication 49 # end 50 # else 51 # if session_authenticated? 52 # @current_user = @account.users.find(session[:authenticated][:user_id]) 53 # else 54 # redirect_to(login_url) and return false 51 # if session_authenticated? 52 # @current_user = @account.users.find(session[:authenticated][:user_id]) 53 # else 54 # redirect_to(login_url) and return false 55 # end 55 56 # end 56 57 # end 57 # end 58 # end 58 # end 59 59 # 60 60 # … … 69 69 # assert_equal 200, status 70 70 # end 71 # 72 # 73 # On shared hosts, Apache sometimes doesn't pass authentication headers to 74 # FCGI instances. If your environment matches this description and you cannot 75 # authenticate, try this rule in public/.htaccess (replace the plain one): 76 # 77 # RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L] 71 78 module Basic 72 79 extend self … … 101 108 request.env['HTTP_AUTHORIZATION'] || 102 109 request.env['X-HTTP_AUTHORIZATION'] || 103 request.env['X_HTTP_AUTHORIZATION'] 110 request.env['X_HTTP_AUTHORIZATION'] || 111 request.env['REDIRECT_X_HTTP_AUTHORIZATION'] 104 112 end 105 113 106 114 def decode_credentials(request) 107 Base64.decode64(authorization(request).split.last )115 Base64.decode64(authorization(request).split.last || '') 108 116 end 109 117 trunk/actionpack/test/controller/http_authentication_test.rb
r6699 r7091 4 4 include ActionController::HttpAuthentication::Basic 5 5 6 class DummyController 7 attr_accessor :headers, :renders, :request 8 9 def initialize 10 @headers, @renders = {}, [] 11 @request = ActionController::TestRequest.new 12 end 13 14 def render(options) 15 self.renders << options 16 end 17 end 18 6 19 def setup 7 @controller = Class.new do 8 attr_accessor :headers, :renders 9 10 def initialize 11 @headers, @renders = {}, [] 12 end 13 14 def request 15 Class.new do 16 def env 17 { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret") } 18 end 19 end.new 20 end 21 22 def render(options) 23 self.renders << options 24 end 25 end.new 20 @controller = DummyController.new 21 @credentials = ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret") 26 22 end 27 23 28 24 def test_successful_authentication 29 assert authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret" } 25 login = Proc.new { |user_name, password| user_name == "dhh" && password == "secret" } 26 set_headers 27 assert authenticate(@controller, &login) 28 29 set_headers '' 30 assert_nothing_raised do 31 assert !authenticate(@controller, &login) 32 end 33 34 set_headers nil 35 set_headers @credentials, 'REDIRECT_X_HTTP_AUTHORIZATION' 36 assert authenticate(@controller, &login) 30 37 end 31 38 32 33 39 def test_failing_authentication 34 assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret!!" } 40 set_headers 41 assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "incorrect" } 35 42 end 36 43 … … 40 47 assert_equal :unauthorized, @controller.renders.first[:status] 41 48 end 49 50 private 51 def set_headers(value = @credentials, name = 'HTTP_AUTHORIZATION') 52 @controller.request.env[name] = value 53 end 42 54 end
