OK, in the spirit of full disclosure (not that anyone cares), I'll admit my
boneheadedness here. I HAD a problem the first time I tried the
authentication in the standard way:
def authenticate
authenticate_or_request_with_http_basic do |username, password|
username == 'fred' && password == 'sekr3t'
end
end
But it wasn't with the authenticate method. By this point, I have no idea
what was wrong initially. But what I had actually done was something like:
def authenticate
authenticate_or_request_with_http_basic do |username, password|
if (username == 'fred' && password == 'sekr3t')
logger.info("Passed with username: #{username} password:
#{password}")
return true;
else
logger.info("Failed with username: #{username} password:
#{password}")
return false;
end
end
end
Oops. Of course, you don't 'return' values for a block. Duh. I knew that,
but just didn't see it for a day or so because I was looking for something
deeper and less stupid.
Ah, well. Maybe I won't forget this for a while. On the plus side, I got
to walk through how before_filters are called using ruby-debug.
New knowledge FTW!
On Mon, Jan 19, 2009 at 12:49 AM, Ryan Waldron <[email protected]> wrote:
> Hey, Patrick! Thanks for the reply.
>
> On Sun, Jan 18, 2009 at 7:25 PM, Patrick Doyle <[email protected]> wrote:
>
>> On Sun, Jan 18, 2009 at 12:45 AM, Ryan Waldron <[email protected]> wrote:
>>
>>>
>>> I've run into a strange problem with HTTP Basic authentication. I've
>>> observed this behavior on my dev box (connecting directly to mongrel)
>>> and on an Apache+Passenger setup on my deployment machine.
>>>
>>
>
>> According to the documentation (see e.g.
>> http://www.railsbrain.com/api/rails-2.2.2/doc/index.html?a=C00000133&name=ClassMethods)
>> if a #before_filter renders or redirects, the second half of an around
>> filter, and any after filters won't run. I believe that you need to
>> redirect your unauthenticated user to some other page (such as your login
>> page) if the authentication fails.
>>
>
> That may be true, but that's not how I understand it's supposed to work.
> If authorization fails, then authenticate_or_request_with_basic_http is
> supposed to render a 401 (I believe) with this message:
>
> controller.__send__ :render, :text => "HTTP Basic: Access
> denied.\n", :status => :unauthorized
>
> So the controller knows where to redirect to by virtue of it being
> hardcoded.
>
> And the Rails documentation, as well as every other place I've seen showing
> how this works has it pretty much just like I have it.
>
> I've either got a typo that I can't find, or have set something up screwy
> in my app configuration, or something. I don't *think* that it's because
> I'm supposed to explicitly redirect unauthorized users elsewhere. But I
> could be wrong.
>
> Keep in mind that I'm not trying to build a full user-based auth system; I
> just want HTTP basic user/pass protection for a few actions in a single
> controller, just to help discourage the curious. So I'm not using any of
> the auth plugins or full-blown user login schemes available.
>
> Am I missing something?
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
