What's New in Edge Rails: New Http Authentication Plugin - And a Plea to Contribute

Posted by ryan
at 11:13 AM on Monday, December 04, 2006

If you’re just not happy with some of the existing options out there for doing Http Authentication in Rails, we’ve got another entry into the market. There’s now an official Rails http authentication plugin in the Rails repo that makes this a simple proposition.

A few convenient methods are now available to you in your controllers to hold your hand: authenticate_or_request_with_http_basic that hands the basic username and password to a block for evaluation and request_http_basic_authentication that asks the client to authenticate itself using http basic authentication. Using them is pretty simple – their inclusion in an authentication filter seems to be the most intuitive use:


class DocumentsController < ActionController
  before_filter :verify_access

  def show
    @document = @user.documents.find(params[:id])
  end

  # Use basic authentication in my realm to get a user object.
  # Since this is a security filter - return false if the user is not
  # authenticated.
  def verify_access
    authenticate_or_request_with_http_basic("Documents Realm") do |username, password|
      @user = User.authenticate(username, password)
    end
  end
end

When the block of authenticate_or_request_with_http_basic evaluates to false, request_http_basic_authentication is invoked which requests that the user enter their credentials. You can also manually invoke request_http_basic_authentication if you are doing a mix of authentication methods and want to use http authentication only if session authentication fails etc…

So what’s with the “plea”? Well, digest authentication hasn’t been added to the plugin yet – though the structure and framework as all but been laid at your feet to contribute the digest logic yourself. Take a look at HttpAuthentication::Digest and see how easy it would be to contribute back to your favorite framework. Just fill in those tiny places that say stuff like # Fancy nouncing goes here and # You compute me and the world will revere you.

References

tags: , ,

Comments

Leave a response

  1. Thijs van der VossenDecember 04, 2006 @ 11:59 AM
    There is a full Ruby server and client (great for testing and REST stuff) implementation with an extensive test suite of HTTP Basic and Digest authentication at http://rubyforge.org/projects/httpauth/
  2. HughDecember 04, 2006 @ 02:38 PM
    Not to sound offensive or anything, but I find it impossible to read your blog due to your bg image, it nearly gives me a fit on my monitor (hi-res sony).
  3. Ryan DaigleDecember 04, 2006 @ 03:23 PM
    Hey Hugh, do you have a screenshot you can send me?
  4. HughDecember 05, 2006 @ 02:02 PM
    Sorry, I should of elaborated more. Its just the contrasting pattern of background makes it hard to focus. http://img377.imageshack.us/img377/3596/ssva8.png
  5. jasonDecember 26, 2006 @ 11:48 AM
    whoa, that's a big screen space
  6. AnilDecember 27, 2006 @ 09:07 AM
    Sorry for the silly question but I'm a newcomer to Rails. Where do I install these files under the rails-app directory on my textdrive account? http://dev.rubyonrails.org/changeset/5665 Also, do I need to add a "require 'http_authentication'" in the controller I want to protect (with the verify_access method)? I currently get this error: undefined method `authenticate_or_request_with_http_basic' for #<maincontroller:0x3d5f040> I have the http_authentication lib/ files under rails-app/lib directory currently.
  7. Ryan DaigleJanuary 01, 2007 @ 11:10 AM
    Anil - here's a good primer to installing rails plugins: "http://nubyonrails.com/articles/2006/05/04/the-complete-guide-to-rails-plugins-part-i":http://nubyonrails.com/articles/2006/05/04/the-complete-guide-to-rails-plugins-part-i In general you should not manually place the files in your directory structure - you should use something like: @script/plugin install http_authentication@
  8. IanJanuary 02, 2007 @ 12:52 PM
    In what plugin repository does http_authentication reside? It seems my script/plugin is misbehaving and doesn't want to let me "discover", so I'll have to "source" the repository by hand before I can install the plugin.
  9. Ryan DaigleJanuary 03, 2007 @ 02:45 AM
    Ian: Try this: "http://dev.rubyonrails.org/svn/rails/plugins/http_authentication/":http://dev.rubyonrails.org/svn/rails/plugins/http_authentication/
  10. IanJanuary 03, 2007 @ 02:54 PM
    Thanks!
  11. andrewFebruary 05, 2007 @ 08:57 AM
    Am I blind, or is there no date on this post ? The only way to find out "about" when it was posted is the date on the comments. When I search the rails docs, I don't find request_http_basic_authentication.
  12. Ryan DaigleFebruary 07, 2007 @ 09:37 AM
    Andrew - I hadn't noticed that there are no dates on my posts. That's odd and I'll see if I can fix the template to have the dates. Thanks for pointing that out. As for the Rails docs not showing request_http_basic_authentication, remember that the rails docs are published for the latest stable version (right now 1.2.2) and not for 'edge' which is where that method currently lives. The closest thing you'll come to for docs is the source itself. Hope that's helpful!