Permalink
Browse files

Included the HttpAuthentication plugin as part of core (ActionControl…

…ler::HttpAuthentication::Basic) [DHH]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6699 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent 5a9dc12 commit 20eb59ad8a9e97a5bbb68df1ba2f15914c26a358 @dhh dhh committed May 8, 2007
View
@@ -1,5 +1,7 @@
*SVN*
+* Included the HttpAuthentication plugin as part of core (ActionController::HttpAuthentication::Basic) [DHH]
+
* Modernize documentation for form helpers. [jeremymcanally]
* Add brief introduction to REST to the resources documentation. [fearoffish]
@@ -53,6 +53,7 @@
require 'action_controller/verification'
require 'action_controller/streaming'
require 'action_controller/session_management'
+require 'action_controller/http_authentication'
require 'action_controller/components'
require 'action_controller/record_identifier'
require 'action_controller/macros/auto_complete'
@@ -76,6 +77,7 @@
include ActionController::Verification
include ActionController::Streaming
include ActionController::SessionManagement
+ include ActionController::HttpAuthentication::Basic::ControllerMethods
include ActionController::Components
include ActionController::RecordIdentifier
include ActionController::Macros::AutoComplete
@@ -0,0 +1,121 @@
+require 'base64'
+
+module ActionController
+ module HttpAuthentication
+ # Makes it dead easy to do HTTP Basic authentication.
+ #
+ # Simple Basic example:
+ #
+ # class PostsController < ApplicationController
+ # USER_NAME, PASSWORD = "dhh", "secret"
+ #
+ # before_filter :authenticate, :except => [ :index ]
+ #
+ # def index
+ # render :text => "Everyone can see me!"
+ # end
+ #
+ # def edit
+ # render :text => "I'm only accessible if you know the password"
+ # end
+ #
+ # private
+ # def authenticate
+ # authenticate_or_request_with_http_basic do |user_name, password|
+ # user_name == USER_NAME && password == PASSWORD
+ # end
+ # end
+ # end
+ #
+ #
+ # Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
+ # the regular HTML interface is protected by a session approach:
+ #
+ # class ApplicationController < ActionController::Base
+ # before_filter :set_account, :authenticate
+ #
+ # protected
+ # def set_account
+ # @account = Account.find_by_url_name(request.subdomains.first)
+ # end
+ #
+ # def authenticate
+ # case request.format
+ # when Mime::XML, Mime::ATOM
+ # if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
+ # @current_user = user
+ # else
+ # request_http_basic_authentication
+ # end
+ # else
+ # if session_authenticated?
+ # @current_user = @account.users.find(session[:authenticated][:user_id])
+ # else
+ # redirect_to(login_url) and return false
+ # end
+ # end
+ # end
+ # end
+ #
+ #
+ # In your integration tests, you can do something like this:
+ #
+ # def test_access_granted_from_xml
+ # get(
+ # "/notes/1.xml", nil,
+ # :authorization => ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
+ # )
+ #
+ # assert_equal 200, status
+ # end
+ module Basic
+ extend self
+
+ module ControllerMethods
+ def authenticate_or_request_with_http_basic(realm = "Application", &login_procedure)
+ authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm)
+ end
+
+ def authenticate_with_http_basic(&login_procedure)
+ HttpAuthentication::Basic.authenticate(self, &login_procedure)
+ end
+
+ def request_http_basic_authentication(realm = "Application")
+ HttpAuthentication::Basic.authentication_request(self, realm)
+ end
+ end
+
+ def authenticate(controller, &login_procedure)
+ if authorization(controller.request)
+ login_procedure.call(*user_name_and_password(controller.request))
+ else
+ false
+ end
+ end
+
+ def user_name_and_password(request)
+ decode_credentials(request).split(/:/, 2)
+ end
+
+ def authorization(request)
+ request.env['HTTP_AUTHORIZATION'] ||
+ request.env['X-HTTP_AUTHORIZATION'] ||
+ request.env['X_HTTP_AUTHORIZATION']
+ end
+
+ def decode_credentials(request)
+ Base64.decode64(authorization(request).split.last)
+ end
+
+ def encode_credentials(user_name, password)
+ "Basic #{Base64.encode64("#{user_name}:#{password}")}"
+ end
+
+ def authentication_request(controller, realm)
+ controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
+ controller.render :text => "HTTP Basic: Access denied.\n", :status => :unauthorized
+ return false
+ end
+ end
+ end
+end
@@ -0,0 +1,42 @@
+require File.dirname(__FILE__) + '/../abstract_unit'
+
+class HttpBasicAuthenticationTest < Test::Unit::TestCase
+ include ActionController::HttpAuthentication::Basic
+
+ def setup
+ @controller = Class.new do
+ attr_accessor :headers, :renders
+
+ def initialize
+ @headers, @renders = {}, []
+ end
+
+ def request
+ Class.new do
+ def env
+ { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret") }
+ end
+ end.new
+ end
+
+ def render(options)
+ self.renders << options
+ end
+ end.new
+ end
+
+ def test_successful_authentication
+ assert authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret" }
+ end
+
+
+ def test_failing_authentication
+ assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret!!" }
+ end
+
+ def test_authentication_request
+ authentication_request(@controller, "Megaglobalapp")
+ assert_equal 'Basic realm="Megaglobalapp"', @controller.headers["WWW-Authenticate"]
+ assert_equal :unauthorized, @controller.renders.first[:status]
+ end
+end

0 comments on commit 20eb59a

Please sign in to comment.