-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathREADME
83 lines (59 loc) · 2.07 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
Http Authentication
===================
Makes it dead easy to do HTTP Basic authentication.
Simple Basic example:
class PostsController < ApplicationController
USER_NAME, PASSWORD = "dhh", "secret"
before_filter :authenticate, :except => [ :index ]
def index
render :text => "Everyone can see me!"
end
def edit
render :text => "I'm only accessible if you know the password"
end
private
def authenticate
authenticate_or_request_with_http_basic do |user_name, password|
user_name == USER_NAME && password == PASSWORD
end
end
end
Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
the regular HTML interface is protected by a session approach (NOTE: This example requires Rails Edge as
it uses Request#format, which is not available in Rails 1.2.0):
class ApplicationController < ActionController::Base
before_filter :set_account, :authenticate
protected
def set_account
@account = Account.find_by_url_name(request.subdomains.first)
end
def authenticate
case request.format
when Mime::XML, Mime::ATOM
if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
@current_user = user
else
request_http_basic_authentication
end
else
if session_authenticated?
@current_user = @account.users.find(session[:authenticated][:user_id])
else
redirect_to(login_url) and return false
end
end
end
end
In your integration tests, you can do something like this:
def test_access_granted_from_xml
get(
"/notes/1.xml", nil,
:authorization => HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
)
assert_equal 200, status
end
Todo:
* Implement Digest authentication scheme (be a hero, implement it!)
References:
* HTTP Authentication, RFC 2617: http://www.ietf.org/rfc/rfc2617.txt?number=2617
Copyright (c) 2006 David Heinemeier Hansson, released under the MIT license