0
我有我自己有點卡住試圖讓HTTP摘要式身份驗證和運行,很像在導向建議的快速位:使用明文密碼與authenticate_or_request_with_http_digest
Ruby on Rails Guides: Action Controller Overview > HTTP Digest Authentication
class ApplicationController < ActionController::Base
protect_from_forgery
USERS = { "sam" => "ruby" }
before_filter :authenticate
private
def authenticate
authenticate_or_request_with_http_digest do |username|
USERS[username]
end
end
end
儘管輸入上面的身份驗證似乎失敗,我得到提示輸入用戶名和密碼,然後再次收到提示。於是我開始鑽研,在這裏驗證請求的代碼:
GitHub: http_authentication.rb > validate_digest_response
def validate_digest_response(request, realm, &password_procedure)
secret_key = secret_token(request)
credentials = decode_credentials_header(request)
valid_nonce = validate_nonce(secret_key, request, credentials[:nonce])
if valid_nonce && realm == credentials[:realm] && opaque(secret_key) == credentials[:opaque]
password = password_procedure.call(credentials[:username])
return false unless password
method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
uri = credentials[:uri][0,1] == '/' ? request.fullpath : request.url
[true, false].any? do |password_is_ha1|
expected = expected_response(method, uri, credentials, password, password_is_ha1)
expected == credentials[:response]
end
end
end
我看不出它是如何處理的密碼爲純文本。如何設置password_is_ha1?我也有點困惑如何什麼?塊正在工作,這可能沒有幫助: -/
就像快速注:我知道我不應該真正以純文本存儲密碼,並在這樣的源代碼。我只是試圖建立一種理解,並在稍後重構。
提前:-D