1 module ActionController
2 module HttpAuthentication
3 # Makes it dead easy to do HTTP Basic authentication.
5 # Simple Basic example:
7 # class PostsController < ApplicationController
8 # USER_NAME, PASSWORD = "dhh", "secret"
10 # before_filter :authenticate, :except => [ :index ]
13 # render :text => "Everyone can see me!"
17 # render :text => "I'm only accessible if you know the password"
22 # authenticate_or_request_with_http_basic do |user_name, password|
23 # user_name == USER_NAME && password == PASSWORD
29 # Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
30 # the regular HTML interface is protected by a session approach:
32 # class ApplicationController < ActionController::Base
33 # before_filter :set_account, :authenticate
37 # @account = Account.find_by_url_name(request.subdomains.first)
42 # when Mime::XML, Mime::ATOM
43 # if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
44 # @current_user = user
46 # request_http_basic_authentication
49 # if session_authenticated?
50 # @current_user = @account.users.find(session[:authenticated][:user_id])
52 # redirect_to(login_url) and return false
59 # In your integration tests, you can do something like this:
61 # def test_access_granted_from_xml
63 # "/notes/1.xml", nil,
64 # :authorization => ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
67 # assert_equal 200, status
71 # On shared hosts, Apache sometimes doesn't pass authentication headers to
72 # FCGI instances. If your environment matches this description and you cannot
73 # authenticate, try this rule in your Apache setup:
75 # RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
79 module ControllerMethods
80 def authenticate_or_request_with_http_basic(realm
= "Application", &login_procedure
)
81 authenticate_with_http_basic(&login_procedure
) || request_http_basic_authentication(realm
)
84 def authenticate_with_http_basic(&login_procedure
)
85 HttpAuthentication
::Basic.authenticate(self, &login_procedure
)
88 def request_http_basic_authentication(realm
= "Application")
89 HttpAuthentication
::Basic.authentication_request(self, realm
)
93 def authenticate(controller
, &login_procedure
)
94 unless authorization(controller
.request
).blank
?
95 login_procedure
.call(*user_name_and_password(controller
.request
))
99 def user_name_and_password(request
)
100 decode_credentials(request
).split(/:/, 2)
103 def authorization(request
)
104 request
.env['HTTP_AUTHORIZATION'] ||
105 request
.env['X-HTTP_AUTHORIZATION'] ||
106 request
.env['X_HTTP_AUTHORIZATION'] ||
107 request
.env['REDIRECT_X_HTTP_AUTHORIZATION']
110 def decode_credentials(request
)
111 ActiveSupport
::Base64.decode64(authorization(request
).split
.last
|| '')
114 def encode_credentials(user_name
, password
)
115 "Basic #{ActiveSupport::Base64.encode64("#{user_name}:#{password}")}"
118 def authentication_request(controller
, realm
)
119 controller
.headers
["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
120 controller.__send__ :render, :text => "HTTP Basic: Access denied.\n", :status => :unauthorized