[Catalyst] disable session in authentication

Bernhard Graf catalyst3 at augensalat.de
Wed Dec 10 23:16:12 GMT 2008 

On Wed 10 Dezember 2008, Bernhard Graf wrote:

> I have an application that uses two different authentication methods
> based on C:P::Authentication:
>
> The default realm uses Catalyst::Authentication::Credential::Password
> with session and cookie for the usual web login with a
> username-password login screen.
>
> For a REST service Catalyst::Authentication::Credential::HTTP is
> used. With every request to this REST service, a useless session id
> and a cookie is created by C:P::Authentication automatically.
>
> I found this config option "use_session" to disable sessions for
> authentication, but this seems to act globally. :-((
>
> Is it possible to disable session usage for the HTTP auth realm only?

Meanwhile I think I found out where to set use_session:

Plugin::Authentication:
    default_realm: default
    use_session: 0
    realms:
        default:
            use_session: 1
            credential:
                class: Password
                password_field: password
                password_type: clear
            store:
                class: DBIx::Class
                user_class: DB::User
                id_field: username
                role_relation: roles
                role_field: id
        rest:
            use_session: 0
            credential:
                class: HTTP
                type: basic
                password_field: appkey
                password_type: clear
                username_field: name
            store:
                class: DBIx::Class
                user_class: DB::Application
                id_field: name

Getting so far it seems Catalyst::Authentication::Credential::HTTP has a 
bug, lines 67ff:

    if ($self->check_password($user_obj, $opts)) {
        $c->set_authenticated($user_obj);
        return $user_obj;
    }

Here set_authenticated is called without any realmname (missing 2nd 
arg), so it defaults to realmname "default", which is the wrong realm.
Finally $user_obj is returned to the caller 
Catalyst::Authentication::Realm::authenticate(), and the next thing 
that this method does is calling

    $c->set_authenticated($user, $self->name);

again - this time with the correct realmname ("rest").

The same bug seems to be in (I didn't test this so far) 
Catalyst::Authentication::Credential::HTTP::authenticate_digest():
it also calls

    $c->set_authenticated($user);

without the realmname - which will fail in my case - and then returns 1, 
this time the caller Catalyst::Authentication::Realm::authenticate() 
doesn't call set_authenticated() with the correct realmname, so the 
whole authentication would fail.

The best fix seems to delete the set_authenticated() calls in 
authenticate_basic() and authenticate_digest(), and simply return the 
user object, because Catalyst::Authentication::Realm::authenticate() 
does the right thing with it.

-- 
Bernhard Graf

More information about the Catalyst mailing list