Templatify &authenticate().

2 files changed, 67 insertions, 65 deletions

diff --git a/httpd/cgi-bin/check b/httpd/cgi-bin/check
index 970ea9c..f933670 100755
--- a/httpd/cgi-bin/check
+++ b/httpd/cgi-bin/check
@@ -9,7 +9,7 @@
 # This source code is available under the license at:
 #     http://www.w3.org/Consortium/Legal/copyright-software
 #
-# $Id: check,v 1.398 2005-02-13 18:50:09 link Exp $
+# $Id: check,v 1.399 2005-02-13 19:12:58 link Exp $
 
 #
 # Disable buffering on STDOUT!
@@ -224,7 +224,7 @@ Directory not readable (permission denied): @_r
 
   #
   # Strings
-  $VERSION    =  q$Revision: 1.398 $;
+  $VERSION    =  q$Revision: 1.399 $;
   $VERSION    =~ s/Revision: ([\d\.]+) /$1/;
 
   #
@@ -310,9 +310,15 @@ my $E = HTML::Template->new(
                                            $lang, 'fatal-error.tmpl'),
   die_on_bad_params => FALSE,
 );
+my $H = HTML::Template->new(
+  filename          => File::Spec->catfile($CFG->{Paths}->{Templates},
+                                           $lang, 'http_401_authrequired.tmpl'),
+  die_on_bad_params => FALSE,
+);
 
 $File->{T} = $T;
 $File->{E} = $E;
+$File->{H} = $H;
 
 
 # Read friendly error message file
@@ -1105,7 +1111,7 @@ sub authenticate {
 
   for my $scheme (keys(%$authHeader)) {
     my $origrealm = $authHeader->{$scheme}->{realm};
-    if (!defined($origrealm) || lc($scheme) !~ /^(?:basic|digest)$/) {
+    if (not defined $origrealm or lc($scheme) !~ /^(?:basic|digest)$/) {
       delete($authHeader->{$scheme});
       next;
     }
@@ -1113,72 +1119,16 @@ sub authenticate {
   }
 
   my $headers = HTTP::Headers->new(Connection => 'close');
-  $headers->content_type('text/html; charset=utf-8');
   $headers->www_authenticate(%$authHeader);
   $headers = $headers->as_string();
+  chomp($headers);
 
-  print <<"EOF";
-Status: 401 Authorization Required
-$headers
-
-<?xml version="1.0"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
-    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-  <head><title>[WMVS] 401 Authorization Required</title></head>
-  <body>
-    <h1>Authorization Required</h1>
-    <p>Sorry, I am not authorized to access the specified URL.</p>
-    <p>
-      The URL you specified, &lt;<a href="$resource">$resource</a>&gt;,
-      returned a 401 "authorization required" response when I tried
-      to download it.
-    </p>
-    <p>
-      You should have been prompted by your browser for a
-      username/password pair; if you had supplied this information, I
-      would have forwarded it to your server for authorization to
-      access the resource. You can use your browser's "reload" function
-      to try again, if you wish.
-    </p>
-    <p>
-      Of course, you may not want to trust me with this information,
-      which is fine. I can tell you that I don't log it or do
-      anything else nasty with it, and you can <a href="source/">download the
-      source code for this service</a> to see what it does, but you have no
-      guarantee that this is actually the code I'm using; you basically have to
-      decide whether to trust me or not :-)
-    </p>
-    <p>
-      You should also be aware that the way we proxy this authentication
-      information defeats the normal working of HTTP Authentication.
-      If you authenticate to server A, your browser may keep sending
-      the authentication information to us every time you validate
-      a page, regardless of what server it's on, and we'll happily pass
-      that on to the server thereby making it possible for a malicious
-      server operator to capture your credentials.
-    </p>
-    <p>
-      Due to the way HTTP Authentication works there is no way we can
-      avoid this. We are using some "tricks" to fool your client into
-      not sending this information in the first place, but there is no
-      guarantee this will work. If security is a concern to you, you
-      may wish to avoid validating protected resources or take extra
-      precautions to prevent your browser from sending authentication
-      information when validating other servers.
-    </p>
-    <p>
-      Also note that you shouldn't use HTTP Basic Authentication for
-      anything which really needs to be private, since the password
-      goes across the network unencrypted.
-    </p>
-EOF
+  $File->{H}->param(http_401_headers => $headers);
+  $File->{H}->param(http_401_url     => $resource);
+
+  print $File->{H}->output;
 
-  # this is needed to avoid that the template code emits additional
-  # markup which would make the result invalid and look odd; in the
-  # longer term this should be moved into a template that fits with
-  # the general validator.w3.org style.
-  exit;
+  exit; # Further interaction will be a new HTTP request.
 }
 
 
diff --git a/share/templates/en_US/http_401_authrequired.tmpl b/share/templates/en_US/http_401_authrequired.tmpl
new file mode 100644
index 0000000..a284c08
--- /dev/null
+++ b/share/templates/en_US/http_401_authrequired.tmpl
@@ -0,0 +1,52 @@
+Status: 401 Authorization Required
+<TMPL_VAR NAME="http_401_headers">
+<TMPL_INCLUDE NAME="header.tmpl">
+
+  <div id="main">
+    <h2>Authorization Required</h2>
+    <p>Sorry, I am not authorized to access the specified URL.</p>
+    <p>
+      The URL you specified, &lt;<a href="<TMPL_VAR NAME="http_401_url">"><TMPL_VAR NAME="http_401_url"></a>&gt;,
+      returned a 401 "authorization required" response when I tried
+      to download it.
+    </p>
+    <p>
+      You should have been prompted by your browser for a
+      username/password pair; if you had supplied this information, I
+      would have forwarded it to your server for authorization to
+      access the resource. You can use your browser's "reload" function
+      to try again, if you wish.
+    </p>
+    <p>
+      Of course, you may not want to trust me with this information,
+      which is fine. I can tell you that I don't log it or do
+      anything else nasty with it, and you can <a href="source/">download the
+      source code for this service</a> to see what it does, but you have no
+      guarantee that this is actually the code I'm using; you basically have to
+      decide whether to trust me or not :-)
+    </p>
+    <p>
+      You should also be aware that the way we proxy this authentication
+      information defeats the normal working of HTTP Authentication.
+      If you authenticate to server A, your browser may keep sending
+      the authentication information to us every time you validate
+      a page, regardless of what server it's on, and we'll happily pass
+      that on to the server thereby making it possible for a malicious
+      server operator to capture your credentials.
+    </p>
+    <p>
+      Due to the way HTTP Authentication works there is no way we can
+      avoid this. We are using some "tricks" to fool your client into
+      not sending this information in the first place, but there is no
+      guarantee this will work. If security is a concern to you, you
+      may wish to avoid validating protected resources or take extra
+      precautions to prevent your browser from sending authentication
+      information when validating other servers.
+    </p>
+    <p>
+      Also note that you shouldn't use HTTP Basic Authentication for
+      anything which really needs to be private, since the password
+      goes across the network unencrypted.
+    </p>
+  </div><!-- End of "main" -->
+<TMPL_INCLUDE NAME="footer.tmpl">