[Catalyst-commits] r8417 - in Catalyst-Authentication-Credential-HTTP/1.000/trunk: . lib/Catalyst/Authentication/Credential

t0m at dev.catalyst.perl.org t0m at dev.catalyst.perl.org
Sun Sep 14 12:50:38 BST 2008 

Author: t0m
Date: 2008-09-14 12:50:38 +0100 (Sun, 14 Sep 2008)
New Revision: 8417

Modified:
   Catalyst-Authentication-Credential-HTTP/1.000/trunk/Changes
   Catalyst-Authentication-Credential-HTTP/1.000/trunk/Todo
   Catalyst-Authentication-Credential-HTTP/1.000/trunk/lib/Catalyst/Authentication/Credential/HTTP.pm
Log:
More docs about the digest auth specific config and domain options.

Modified: Catalyst-Authentication-Credential-HTTP/1.000/trunk/Changes
===================================================================
--- Catalyst-Authentication-Credential-HTTP/1.000/trunk/Changes	2008-09-13 15:39:29 UTC (rev 8416)
+++ Catalyst-Authentication-Credential-HTTP/1.000/trunk/Changes	2008-09-14 11:50:38 UTC (rev 8417)
@@ -1,3 +1,8 @@
+1.005  2008-09-XX
+  - Added better description of the use of the domains and
+    use_uri_for options (info culled from RFC2617).
+  - 
+
 1.004  2008-09-12
    - Add tests for use_uri_for configuration options.
    - Add tests and documentation for storing an MD5

Modified: Catalyst-Authentication-Credential-HTTP/1.000/trunk/Todo
===================================================================
--- Catalyst-Authentication-Credential-HTTP/1.000/trunk/Todo	2008-09-13 15:39:29 UTC (rev 8416)
+++ Catalyst-Authentication-Credential-HTTP/1.000/trunk/Todo	2008-09-14 11:50:38 UTC (rev 8417)
@@ -1,4 +1,5 @@
 . Split auth headers / do auth methods again, and make authenticate call each in turn.
-. Document / test 'algorithm' config - MD5-sess / MD5.
-. Better documentation for 'domain' option.
-. Domain option should be able to be passed as config.
\ No newline at end of file
+. Test 'algorithm' config / MD5-sess properly.
+. Full implementation of MD5-sess with remote authentication service.
+. Domain option should be able to be passed as config.
+. Support for NTLM auth?
\ No newline at end of file

Modified: Catalyst-Authentication-Credential-HTTP/1.000/trunk/lib/Catalyst/Authentication/Credential/HTTP.pm
===================================================================
--- Catalyst-Authentication-Credential-HTTP/1.000/trunk/lib/Catalyst/Authentication/Credential/HTTP.pm	2008-09-13 15:39:29 UTC (rev 8416)
+++ Catalyst-Authentication-Credential-HTTP/1.000/trunk/lib/Catalyst/Authentication/Credential/HTTP.pm	2008-09-14 11:50:38 UTC (rev 8417)
@@ -478,6 +478,20 @@
 
 Array reference to domains used to build the authorization headers.
 
+This list of domains defines the protection space. If a domain URI is an 
+absolute path (starts with /), it is relative to the root URL of the server being accessed. 
+An absolute URI in this list may refer to a different server than the one being accessed. 
+
+The client will use this list to determine the set of URIs for which the same authentication 
+information may be sent. 
+
+If this is omitted or its value is empty, the client will assume that the
+protection space consists of all URIs on the responding server.
+
+Therefore, if your application is not hosted at the root of this domain, and you want to
+prevent the authentication credentials for this application being sent to any other applications.
+then you should use the I<use_uri_for> configuration option, and pass a domain of I</>.
+
 =back
 
 =item authenticate_basic $c, $realm, \%auth_info
@@ -493,6 +507,9 @@
 Note - if you do not want to store your user passwords as clear text, then it is possible
 to store instead the MD5 digest in hex of the string '$username:$realm:$password' 
 
+Takes an additional parameter of I<algorithm>, the possible values of which are 'MD5' (the default)
+and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617.
+
 =item authorization_required_response $c, $realm, \%auth_info
 
 Sets C<< $c->response >> to the correct status code, and adds the correct
@@ -546,7 +563,9 @@
 =item use_uri_for
 
 If this configuration key has a true value, then the domain(s) for the authorization header will be
-run through $c->uri_for()
+run through $c->uri_for(). Use this configuration option if your application is not running at the root
+of your domain, and you want to ensure that authentication credentials from your application are not shared with
+other applications on the same server.
 
 =back

More information about the Catalyst-commits mailing list