Permalink
Browse files

updated readme

  • Loading branch information...
1 parent 117920b commit 77cafd6cc47532f4a4549e9b91fed94528d3cd8f @schorsch schorsch committed Apr 9, 2010
Showing with 29 additions and 45 deletions.
  1. +29 −45 README.rdoc
View
@@ -1,7 +1,5 @@
= hmac
-This is a copy & cleanup of auth-hmac gem
-
hmac is a Ruby implementation of HMAC[http://en.wikipedia.org/wiki/HMAC] based authentication of HTTP requests.
HMAC authentication involves a client and server having a shared secret key.
When sending the request the client, signs the request using the secret key. This involves building a canonical representation of the request and then generating a HMAC of the request using the secret. The generated HMAC is then sent as part of the request.
@@ -10,56 +8,65 @@ When the server receives the request it builds the same canonical representation
HMAC based authentication also provides message integrity checking because the HMAC is based on a combination of the shared secret and the content of the request. So if any part of the request that is used to build the canonical representation is modified by a malicious party or in transit the authentication will then fail.
-
-
Hmac::Auth is loosely based on the Amazon Web Services authentication scheme but without the Amazon specific components, i.e. it is HMAC for the rest of us.
== INSTALL:
Gem hosted on gemcutter.org
- sudo gem install king-hmac
+ sudo gem install hmac
== Source Code
-
+See http://github.com/salesking/hmac[http://github.com/salesking/hmac]
The source repository:
- http://github.com/salesking/hmac
- or
git clone git://github.com/salesking/hmac.git
-
== When to use it?
HMAC Authentication is best used as authentication for communication between applications such as web services.
It provides better security than HTTP Basic authentication without the need to set up SSL.
Of course if you need to protect the confidentiality of the data then you need SSL, but if you just want to authenticate
requests without sending credentials in the clear Hmac::Auth is a good choice.
-== How to use it?
+== Usage
+
+The simplest way to use Hmac::Auth is with the Hmac::Auth.sign! and Hmac::Auth.authenticate? methods.
+Hmac::Auth.sign! takes a HTTP request object, an access id and a secret key and signs the request with the access_id and secret key.
+
+=== Supported HTTP request objects
-The simplest way to use Hmac::Auth is with the Hmac::Auth.sign! and Hmac::Auth#authenticate? methods.
+Hmac::Auth will do its best to figure out which type it is an handle it accordingly.
+* Net::HTTP::HTTPRequest
+* CGI::Request
+* Webrick HTTP request object.
+* Rack::Request
-Hmac::Auth.sign! takes a HTTP request object, an access id and a secret key and signs the request with the access_id and secret key.
+=== access id
+The access_id is used to identify the secret key that was used to sign the request.
+Think of it as like a user name, it allows you to hand out different keys to different clients and authenticate each of them individually.
+The access_id is sent in the clear so you should avoid making it an important string.
-* The HTTP request object can be a Net::HTTP::HTTPRequest object, a CGI::Request object or a Webrick HTTP request object. Hmac::Auth will do its best to figure out which type it is an handle it accordingly.
-* The access_id is used to identify the secret key that was used to sign the request. Think of it as like a user name, it allows you to hand out different keys to different clients and authenticate each of them individually. The access_id is sent in the clear so you should avoid making it an important string.
-* The secret key is the shared secret between the client and the server. You should make this sufficiently random so that is can't be guessed or exposed to dictionary attacks. The follow code will give you a pretty good secret key:
+=== secret key
+The secret key is the shared secret between the client and the server.
+You should make this sufficiently random so that is can't be guessed or exposed to dictionary attacks.
+The follow code will give you a pretty good secret key:
random = File.read('/dev/random', 512)
secret_key = Base64.encode64(Digest::SHA2.new(512).digest(random))
-On the server side you can then authenticate these requests using the Hmac::Auth.authenticated? method. This takes the same arguments as the sign! method but returns true if the request has been signed with the access id and secret or false if it hasn't.
+On the server side you can then authenticate these requests using the Hmac::Auth.authenticated? method.
+This takes the same arguments as the sign! method but returns true if the request has been signed with the access id and secret or false if it hasn't.
If you have more than one set of credentials you might find it useful to create an instance of the Hmac::Auth class, passing your credentials as a Hash of access id => secret keys, like so:
- @Hmac::Auth = Hmac::Auth.new('access_id1' => 'secret1', 'access_id2' => 'secret2')
+ @hmac_auth = Hmac::Auth.new('access_id1' => 'secret1', 'access_id2' => 'secret2')
-You can then use the instance methods of the @Hmac::Auth object to sign and authenticate requests, for example:
+You can then use the instance methods of the @hmac_auth object to sign and authenticate requests, for example:
- @Hmac::Auth.sign!(request, "access_id1")
+ @hmac_auth.sign!(request, "access_id1")
will sign +request+ with "access_id1" and it's corresponding secret key. Similarly authentication is done like so:
- @Hmac::Auth.authenticated?(request)
+ @hmac_auth.authenticated?(request)
which will return true if the request has been signed with one of the access id and secret key pairs provided in the constructor.
@@ -96,29 +103,6 @@ Using these details it is possible to build code that will sign and authenticate
== Authors and Contributors
+This gem started with a copy & cleanup of auth-hmac gem v1.1.1.
+Most of this doc was written by Sean Geoghegan
auth-hmac was developed by Sean Geoghegan http://rubyforge.org/projects/auth-hmac && by Peerworks[http://peerworks.org].
-
-== LICENSE:
-
-(The MIT License)
-
-Copyright (c) 2008 The Kaphan Foundation
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-'Software'), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

0 comments on commit 77cafd6

Please sign in to comment.