[Catalyst] Credential::HTTP vs. Controller::REST

John Napiorkowski jjn1056 at yahoo.com
Sat Nov 10 17:09:23 GMT 2007 

--- "Christopher H. Laco" <claco at chrislaco.com> wrote:

> I'm working with the REST action/controller to
> expose my app to browsers
> and to any remote client (json/xml, etc). For the
> browser stuff, I just
> use the regular Auth plugins with a database store
> tied to a user/pass
> login form. For remote clients, I wanted to tack on
> HTTP Auth using
> Basic/Digest.
> 
> Lucky for me, we have C::P::A::Credential::HTTP,
> which can consume and
> create the proper Basic/Digest auth headers.
> 
> Unfortunately, when this credential class creates
> the appropriate 401
> response code and headers when auth is required, it
> assumes that the
> content-type is text/html, and the body() needs to
> contain text
> ("Authorization Required").
> 
> IMHO, this is bad. I don't believe the it's the
> responsibility of this
> credential to set/assume the content-type/body for
> me, but only to
> manage reading/writing the auth headers.
> 
> Under normal operation, the REST controller receives
> a request for a
> certain content-type, and if I set the status code
> myself to 401 and
> detach, the outbound response is automatically set
> to that requested
> content-type with an empty serialized entity (empty
> YAML, null in JSON, etc)
> 
> Since the HTTP auth credential assumes is needs to
> set content-type and
> body(), those trash what the REST controller is
> doing during
> serialization of the response. When it does that,
> response to clients
> that have requested yaml/json now get tesr/html and
> a body they can't
> consume.
> 
> It mentioned in the HTTP Auth pod that one could
> override these in
> end(), but that means that I have to spend time in
> my end() sub
> reimplementing logic that is already handled by the
> REST controller,
> just to get the content-type/body back to the proper
> output.
> 
> At this point, I just wanted to get the conversation
> started on what
> every thinks the correct behavior is, and if there
> are any work around
> for this type of problem.
> 
> -=Chris

Chris,

I had a similar problem with this plugin, since I has
a system that, like the REST Controller, needed to set
specific JSON encoded body entities.  To be honest I
was under a "Finish it Today" deadline, so I just
rewrote the needed pieces, which was trivial since the
App only needed BASIC authentication.

Also, for me there was a lot of confusion about how
this was supported, since there seems to be a few
plugins that support some sort of HTTP style
authentication.  The only one I found that seemed to
fit the bill had the problem you mentioned and in
addition it seemed to be using $c->login instead of
the $c->authenticate that is part of the
authentication refactoring that happened a while ago.

What I ended up using was the Password Credential, the
DBIC Store and a few lines of code in the auto action
to grab/request http authentication.

--john



> 
> 
> > _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo:
>
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
>
http://www.mail-archive.com/catalyst@lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Catalyst mailing list