如何堆叠 Plack 身份验证处理程序?
我想让我的 Plack 应用程序尝试几种不同的方式来授权用户。具体来说,检查用户是否已通过会话 cookie 获得授权,然后检查摘要式身份验证,然后返回到基本身份验证。
我想我可以按照我希望检查的顺序启用一堆身份验证处理程序(会话、摘要、基本)。不幸的是, Plack::Middleware::Auth::Digest< 的方式/a> 和 Plack::Middleware::Auth::Basic 被写入,如果摘要或基本身份验证不存在,它们都会分别返回 401。
Plack 中通常如何处理这个问题?
I would like to have my Plack app try several different means of authorizing the user. Specifically, check if the user is already authorized via a session cookie, then check for Digest authentication and then fall back to Basic.
I figured I could just enable a bunch of Auth handlers in the order I wanted them to be checked (Session, Digest, Basic). Unfortunately, the way that Plack::Middleware::Auth::Digest and Plack::Middleware::Auth::Basic are written they both return 401 if digest or basic auth doesn't exist, respectively.
How is this normally dealt with in Plack?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我没有实施,但我想我有方法。您可以使用 Plack::Middleware::Conditional 来“内联”执行此操作。所以它看起来像这样,但您必须填写缺少的条件/测试。我没有看到简单/明显的方法,但我怀疑你可能会。由于您有
$env来传递,您应该能够按照您想要的顺序设置/检查 HTTP_/session 内容,并保留下一个处理程序的状态以了解是否应该启用它。I do not have an implementation but I think I have the approach. You can do this "in-line" with Plack::Middleware::Conditional. So it would look like this but you'll have to fill in the missing conditions/tests. I didn't see an easy/obvious way but I suspect you might. Since you have the
$envto pass around you should be able to set/check HTTP_/session stuff in the order you want and keep the state for the next handler to know if it should be enabled or not.我认为您将需要编写自己的中间件,因为理想情况下(基于对 的快速阅读RFC 2617)当未经过身份验证时,您将返回带有 Basic 和 Digest 质询的 WWW-Authenticate 标头(对于仅了解 Basic 的用户代理,首先是 Basic)。
I think you are going to need to write your own middleware, since ideally (based on a very quick read of RFC 2617) when not authenticated you would return a WWW-Authenticate header with both Basic and Digest challenges (with Basic first, for user agents that only understand Basic).