[Catalyst] 5.80005: $c->req->remote_user and apache: excluding actions from authentication

Francesc Romà i Frigolé francesc.roma+catalyst at gmail.com
Tue Jun 9 18:49:15 GMT 2009 

On Tue, Jun 9, 2009 at 7:53 PM, Tomas Doran <bobtfish at bobtfish.net> wrote:

> Francesc Rom=E0 i Frigol=E9 wrote:
>
>> This is more of an apache question than a Catalyst one, but I'd apprecia=
te
>> some help.
>>
>> I'm trying the new feature $c->req->remote_user introduced in 5.80005. I=
'd
>> like to know if it is possible to tell apache, in a .htaccess file, to n=
ot
>> ask authentication for a certain set of URIs (for example matching /publ=
ic/)
>>
>
> Yes, it is.
>
> <Location /public>
>   Satisfy Any
>   Allow from All
> </Location>
>
> should do what you want.
>


Thanks Tomas, but I get the error:  .htaccess: <Location not allowed here

This is because <Location> is not an "htaccess directive". See
http://httpd.apache.org/docs/1.3/mod/core.html#location

I also tried with <FilesMatch> which it is allowed, but it doesn't seem to
work (which makes sense because I'm not actually matching any file but a
catalyst action )



>
> Also, if you haven't seen it yet:
>
> http://search.cpan.org/~bobtfish/Catalyst-Plugin-Authentication-0.10012/l=
ib/Catalyst/Authentication/Credential/Remote.pm<http://search.cpan.org/%7Eb=
obtfish/Catalyst-Plugin-Authentication-0.10012/lib/Catalyst/Authentication/=
Credential/Remote.pm>
>


It looks very interesting. From your explanation

    # in your Controller/Root.pm you can implement "auto-login" in this way
    sub begin : Private {
        my ( $self, $c ) =3D @_;

        unless ($c->user_exists) {
            # authenticate() for this module does not need any user info
            # as the username is taken from $c->req->remote_user and
            # password is not needed

            unless ($c->authenticate( {} )) {
              # return 403 forbidden or kick out the user in other way
            };
        }
    }


it seems that it should be possible to tell apache that authentication is
optional, but I don't know how to do that. How can I make apache ask for a
username/password but not return a 401 Authorization Required error?

Thanks,
Francesc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20090609/e07fa=
f69/attachment.htm

More information about the Catalyst mailing list