Updated Basic Authentication guides to reflect new Base.http_basic_authenticate_with method

This commit is contained in:
Sebastian Martinez 2011-03-28 22:46:13 -03:00
parent 62dd3458e3
commit 70779a08a0
2 changed files with 8 additions and 36 deletions

@ -615,26 +615,15 @@ Rails comes with two built-in HTTP authentication mechanisms:
h4. HTTP Basic Authentication
HTTP basic authentication is an authentication scheme that is supported by the majority of browsers and other HTTP clients. As an example, consider an administration section which will only be available by entering a username and a password into the browser's HTTP basic dialog window. Using the built-in authentication is quite easy and only requires you to use one method, +authenticate_or_request_with_http_basic+.
HTTP basic authentication is an authentication scheme that is supported by the majority of browsers and other HTTP clients. As an example, consider an administration section which will only be available by entering a username and a password into the browser's HTTP basic dialog window. Using the built-in authentication is quite easy and only requires you to use one method, +http_basic_authenticate_with+.
<ruby>
class AdminController < ApplicationController
USERNAME, PASSWORD = "humbaba", "5baa61e4"
before_filter :authenticate
private
def authenticate
authenticate_or_request_with_http_basic do |username, password|
username == USERNAME &&
Digest::SHA1.hexdigest(password) == PASSWORD
end
end
http_basic_authenticate_with :name => "humbaba", "5baa61e4"
end
</ruby>
With this in place, you can create namespaced controllers that inherit from +AdminController+. The before filter will thus be run for all actions in those controllers, protecting them with HTTP basic authentication.
With this in place, you can create namespaced controllers that inherit from +AdminController+. The filter will thus be run for all actions in those controllers, protecting them with HTTP basic authentication.
h4. HTTP Digest Authentication

@ -1201,33 +1201,16 @@ h3. Security
If you were to publish your blog online, anybody would be able to add, edit and delete posts or delete comments.
Rails provides a very simple HTTP authentication system that will work nicely in this situation. First, we enable simple HTTP based authentication in our <tt>app/controllers/application_controller.rb</tt>:
Rails provides a very simple HTTP authentication system that will work nicely in this situation.
<ruby>
class ApplicationController < ActionController::Base
protect_from_forgery
In the +PostsController+ we need to have a way to block access to the various actions if the person is not authenticated, here we can use the Rails <tt>http_basic_authenticate_with</tt> method, allowing access to the requested action if that method allows it.
private
def authenticate
authenticate_or_request_with_http_basic do |user_name, password|
user_name == 'admin' && password == 'password'
end
end
end
</ruby>
You can obviously change the username and password to whatever you want. We put this method inside of +ApplicationController+ so that it is available to all of our controllers.
Then in the +PostsController+ we need to have a way to block access to the various actions if the person is not authenticated, here we can use the Rails <tt>before_filter</tt> method, which allows us to specify that Rails must run a method and only then allow access to the requested action if that method allows it.
To use the before filter, we specify it at the top of our +PostsController+, in this case, we want the user to be authenticated on every action, except for +index+ and +show+, so we write that:
To use the authentication system, we specify it at the top of our +PostsController+, in this case, we want the user to be authenticated on every action, except for +index+ and +show+, so we write that:
<ruby>
class PostsController < ApplicationController
before_filter :authenticate, :except => [:index, :show]
http_basic_authenticate_with :name => "dhh", "secret", :except => :index
# GET /posts
# GET /posts.xml
@ -1242,7 +1225,7 @@ We also only want to allow authenticated users to delete comments, so in the +Co
<ruby>
class CommentsController < ApplicationController
before_filter :authenticate, :only => :destroy
http_basic_authenticate_with :name => "dhh", "secret", :only => :destroy
def create
@post = Post.find(params[:post_id])