ActionController::HttpAuthentication::Basic

Posted by Ken Brooks Tue, 08 May 2007 23:07:00 GMT

Basic authentication makes it into core ActionController.

The sample given in the commit comments makes it look pretty simple:

     class PostsController < ApplicationController
       USER_NAME, PASSWORD = "dhh", "secret"

       before_filter :authenticate, :except => [ :index ]

       def index
         render :text => "Everyone can see me!"
       end

       def edit
         render :text => "I'm only accessible if you know the password"
       end

       private
         def authenticate
           authenticate_or_request_with_http_basic do |user_name, password| 
             user_name == USER_NAME && password == PASSWORD
           end
         end
     end

Basically what happens is that your block is passed in to the authenticate_or_request_with_http_basic

        def authenticate_or_request_with_http_basic(realm = "Application", &login_procedure)
          authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm)
        end

The authenticate_with_http_basic passes the block down to the HttpAuthentication::Basic.authenticate method.

        def authenticate_with_http_basic(&login_procedure)
          HttpAuthentication::Basic.authenticate(self, &login_procedure)
        end

The first part of that checks the request to see if its an auth.

      def authorization(request)
        request.env['HTTP_AUTHORIZATION']   ||
        request.env['X-HTTP_AUTHORIZATION'] ||
        request.env['X_HTTP_AUTHORIZATION']
      end

If so it splits up the credentials and decodes them from the request then passes them as args to the original block you supplied:

          login_procedure.call(*user_name_and_password(controller.request))

Posted in  | Tags , , , ,  | no comments