Fixed that HTTP authentication should work if the header is called RE…

…DIRECT_X_HTTP_AUTHORIZATION as well (closes #6754) [mislaw] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7091 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
rails · Jun 23, 2007 · 73fba4f · 73fba4f
1 parent a347d46
commit 73fba4f
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 65 deletions.
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Fixed that HTTP authentication should work if the header is called REDIRECT_X_HTTP_AUTHORIZATION as well #6754 [mislaw]
+
 * Don't mistakenly interpret the request uri as the query string.  #8731 [lifofifo, Jeremy Kemper]
 
 * Make ActionView#view_paths an attr_accessor for real this time.  Also, don't perform an unnecessary #compact on the @view_paths array in #initialize.  Closes #8582 [dasil003, julik, rick]

diff --git a/actionpack/lib/action_controller/http_authentication.rb b/actionpack/lib/action_controller/http_authentication.rb
@@ -6,56 +6,56 @@ module HttpAuthentication
     # 
     # Simple Basic example:
     # 
-    # class PostsController < ApplicationController
+    #   class PostsController < ApplicationController
-    #   USER_NAME, PASSWORD = "dhh", "secret"
+    #     USER_NAME, PASSWORD = "dhh", "secret"
-    # 
+    #   
-    #   before_filter :authenticate, :except => [ :index ]
+    #     before_filter :authenticate, :except => [ :index ]
-    # 
+    #   
-    #   def index
+    #     def index
-    #     render :text => "Everyone can see me!"
+    #       render :text => "Everyone can see me!"
-    #   end
+    #     end
-    # 
+    #   
-    #   def edit
+    #     def edit
-    #     render :text => "I'm only accessible if you know the password"
+    #       render :text => "I'm only accessible if you know the password"
-    #   end
-    # 
-    #   private
-    #     def authenticate
-    #       authenticate_or_request_with_http_basic do |user_name, password| 
-    #         user_name == USER_NAME && password == PASSWORD
-    #       end
     #     end
-    # end
+    #   
+    #     private
+    #       def authenticate
+    #         authenticate_or_request_with_http_basic do |user_name, password| 
+    #           user_name == USER_NAME && password == PASSWORD
+    #         end
+    #       end
+    #   end
     # 
     # 
     # Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication, 
     # the regular HTML interface is protected by a session approach:
     # 
-    # class ApplicationController < ActionController::Base
+    #   class ApplicationController < ActionController::Base
-    #   before_filter :set_account, :authenticate
+    #     before_filter :set_account, :authenticate
-    # 
+    #   
-    #   protected
+    #     protected
-    #     def set_account
+    #       def set_account
-    #       @account = Account.find_by_url_name(request.subdomains.first)
+    #         @account = Account.find_by_url_name(request.subdomains.first)
-    #     end
+    #       end
-    # 
+    #   
-    #     def authenticate
+    #       def authenticate
-    #       case request.format
+    #         case request.format
-    #       when Mime::XML, Mime::ATOM
+    #         when Mime::XML, Mime::ATOM
-    #         if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
+    #           if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
-    #           @current_user = user
+    #             @current_user = user
-    #         else
+    #           else
-    #           request_http_basic_authentication
+    #             request_http_basic_authentication
-    #         end
+    #           end
-    #       else
-    #         if session_authenticated?
-    #           @current_user = @account.users.find(session[:authenticated][:user_id])
     #         else
-    #           redirect_to(login_url) and return false
+    #           if session_authenticated?
+    #             @current_user = @account.users.find(session[:authenticated][:user_id])
+    #           else
+    #             redirect_to(login_url) and return false
+    #           end
     #         end
     #       end
-    #     end
+    #   end
-    # end
     # 
     # 
     # In your integration tests, you can do something like this:
@@ -68,6 +68,13 @@ module HttpAuthentication
     # 
     #     assert_equal 200, status
     #   end
+    #  
+    #  
+    # On shared hosts, Apache sometimes doesn't pass authentication headers to
+    # FCGI instances. If your environment matches this description and you cannot
+    # authenticate, try this rule in public/.htaccess (replace the plain one):
+    # 
+    #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Basic
       extend self
 
@@ -100,11 +107,12 @@ def user_name_and_password(request)
       def authorization(request)
         request.env['HTTP_AUTHORIZATION']   ||
         request.env['X-HTTP_AUTHORIZATION'] ||
-        request.env['X_HTTP_AUTHORIZATION']
+        request.env['X_HTTP_AUTHORIZATION'] ||
+        request.env['REDIRECT_X_HTTP_AUTHORIZATION']
       end
 
       def decode_credentials(request)
-        Base64.decode64(authorization(request).split.last)
+        Base64.decode64(authorization(request).split.last || '')
       end
 
       def encode_credentials(user_name, password)

diff --git a/actionpack/test/controller/http_authentication_test.rb b/actionpack/test/controller/http_authentication_test.rb
@@ -3,40 +3,52 @@
 class HttpBasicAuthenticationTest < Test::Unit::TestCase
   include ActionController::HttpAuthentication::Basic
 
+  class DummyController
+    attr_accessor :headers, :renders, :request
+
+    def initialize
+      @headers, @renders = {}, []
+      @request = ActionController::TestRequest.new
+    end
+
+    def render(options)
+      self.renders << options
+    end
+  end
+
   def setup
-    @controller = Class.new do
+    @controller  = DummyController.new
-      attr_accessor :headers, :renders
+    @credentials = ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret")
-
-      def initialize
-        @headers, @renders = {}, []
-      end
-
-      def request
-        Class.new do
-          def env
-            { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret") }
-          end
-        end.new
-      end
-
-      def render(options)
-        self.renders << options
-      end
-    end.new
   end
 
   def test_successful_authentication
-    assert authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret" }
+    login = Proc.new { |user_name, password| user_name == "dhh" && password == "secret" }
-  end
+    set_headers
+    assert authenticate(@controller, &login)
 
+    set_headers ''
+    assert_nothing_raised do
+      assert !authenticate(@controller, &login)
+    end
+
+    set_headers nil
+    set_headers @credentials, 'REDIRECT_X_HTTP_AUTHORIZATION'
+    assert authenticate(@controller, &login)
+  end
 
   def test_failing_authentication
-    assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret!!" }
+    set_headers
+    assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "incorrect" }
   end
 
   def test_authentication_request
     authentication_request(@controller, "Megaglobalapp")
     assert_equal 'Basic realm="Megaglobalapp"', @controller.headers["WWW-Authenticate"]
     assert_equal :unauthorized, @controller.renders.first[:status]
   end
+
+  private
+    def set_headers(value = @credentials, name = 'HTTP_AUTHORIZATION')
+      @controller.request.env[name] = value
+    end
 end