[Catalyst] 5.80005: $c->req->remote_user and apache: excluding actions from authentication

Tomas Doran bobtfish at bobtfish.net
Tue Jun 9 20:26:08 GMT 2009

On 9 Jun 2009, at 19:49, Francesc Romà i Frigolé wrote:
> I also tried with <FilesMatch> which it is allowed, but it doesn't  
> seem to work (which makes sense because I'm not actually matching  
> any file but a catalyst action )

Ah, if you've got rules sending stuff to Catalyst, then stuff will be  
sent to Catalyst to deal with, normal rules are unlikely to apply.

Inside Catalyst you can trivially continue the same authentication  
you were using outside of Catalyst however, see  
Catalyst::Authentication::Credential::HTTP and  

> It looks very interesting. From your explanation

Nono, not my explanation, none of the code linked was written by me,  
I just released it last.

Specifically, kmx++ for that credential.

>     # in your Controller/Root.pm you can implement "auto-login" in  
> this way
>     sub begin : Private {
>         my ( $self, $c ) = @_;
>         unless ($c->user_exists) {
>             # authenticate() for this module does not need any user  
> info
>             # as the username is taken from $c->req->remote_user and
>             # password is not needed
>             unless ($c->authenticate( {} )) {
>               # return 403 forbidden or kick out the user in other way
>             };
>         }
>     }

Erm, no - $c->authenticate will _always_ succeed if you're using  
Credential::Remote, as the web server above you will have always  
authenticated you already..

It's for use in situations where you don't want Catalyst to care  
about auth, but you _do_ want to load details about the already  
logged in user (from the DBIx::Class auth store for example).

> it seems that it should be possible to tell apache that  
> authentication is optional, but I don't know how to do that. How  
> can I make apache ask for a username/password but not return a 401  
> Authorization Required error?


This is implicit in the HTTP auth protocol.

You can limit it to authenticating only for some HTTP methods (which  
is how publicly readable subversion works), but from the server side,  
you either say 'needs auth, give the user a password prompt', or you  

This (and the ugly password box) is why most 'internet' websites  
implement auth with a login form - you can be a lot more flexible  
about the level of user-authenticity you require at each stage...


More information about the Catalyst mailing list