@@ -4,15 +4,21 @@ require 'md5' module Ramaze module Helper module HttpDigest + + @session_nonce = "authentication_digest_nonce" + + def httpdigest_logout + session.delete( @session_nonce ) + end + def httpdigest(uid, realm) session_opaque = "authentication_digest_opaque_#{uid}" - session_nonce = "authentication_digest_nonce" session[session_opaque] ||= UUID.new authorized = false - if session[session_nonce] and request.env['HTTP_AUTHORIZATION'] + if session[@session_nonce] and request.env['HTTP_AUTHORIZATION'] auth_split = request.env['HTTP_AUTHORIZATION'].split authentication_type = auth_split[0] @@ -21,7 +27,7 @@ module Ramaze authorization.values_at(*%w[response username nonce nc cnonce qop]) if authentication_type == 'Digest' - if nonce == session[session_nonce] + if nonce == session[@session_nonce] ha1 = yield(username) ha2 = MD5.hexdigest("#{request.request_method}:#{request.fullpath}") md5 = MD5.hexdigest([ha1, nonce, nc, cnonce, qop, ha2].join(':')) @@ -32,17 +38,22 @@ module Ramaze end unless authorized - session[session_nonce] = UUID.new + session[@session_nonce] = UUID.new response['WWW-Authenticate'] = %|Digest realm="#{realm}",| + %|qop="auth,auth-int",| + - %|nonce="#{session[session_nonce]}",| + + %|nonce="#{session[@session_nonce]}",| + %|opaque="#{session[session_opaque]}"| - respond('Unauthorized', 401) + if respond_to?( :httpdigest_failure ) + httpdigest_failure + else + respond('Unauthorized', 401) + end end authorization["username"] end + end end end lib/ramaze/helper/httpdigest.rb d967b0bc6ebe2d0d1a653b0059ecf2527eef4084 Clive Crous clive@star120.co.za http://github.com/manveru/ramaze/commit/ed5b2e37d13ccb55c3ec659096c306265a864aeb ed5b2e37d13ccb55c3ec659096c306265a864aeb 2008-09-23T03:12:25-07:00 2008-09-23T03:12:25-07:00 add a logout method for forcing a user to re-login and allowed the ability to override the login failure response type (eg to a custom login page instead of unauthorized default) a2ac5f7e722aa1bb87a1b59c8082f885c11143be Clive Crous clive@star120.co.za