Catalyst Advent - Day 14 - Authentication/Authorization

NOTE: This article is now obsolete. Please refer to

This is done in several steps:


Getting the user to identify themselves, by giving you some piece of information known only to you and the user. Then you can assume that the user is who they say they are. This is called credential verification.


Making sure the user only accesses functions you want them to access. This is done by checking the verified users data against your internal list of groups, or allowed persons for the current page.


The Catalyst Authentication system is made up of many interacting modules, to give you the most flexibility possible.

Credential verifiers

A Credential module tables the user input, and passes it to a Store, or some other system, for verification. Typically, a user object is created by either this module or the Store and made accessible by a $c->user call.


 Password - Simple username/password checking.
 HTTPD    - Checks using basic HTTP auth.
 TypeKey  - Check using the typekey system.

Storage backends

A Storage backend contains the actual data representing the users. It is queried by the credential verifiers. Updating the store is not done within this system, you will need to do it yourself.


 DBIC     - Storage using a database.
 Minimal  - Storage using a simple hash (for testing).

User objects

A User object is created by either the storage backend or the credential verifier, and filled with the retrieved user information.


 Hash     - A simple hash of keys and values.

ACL authorization

ACL stands for Access Control List. The ACL plugin allows you to regulate access on a path by path basis, by listing which users, or roles, have access to which paths.

Roles authorization

Authorization by roles is for assigning users to groups, which can then be assigned to ACLs, or just checked when needed.

Logging in

When you have chosen your modules, all you need to do is call the $c->login method. If called with no parameters, it will try to find suitable parameters, such as username and password, or you can pass it these values.

Checking roles

Role checking is done by using the $c->check_user_roles method, this will check using the currently logged in user (via $c->user). You pass it the name of a role to check, and it returns true if the user is a member.


 use Catalyst qw/Authentication

 __PACKAGE__->config->{authentication}{htpasswd} = "passwdfile";

  sub login : Local {
     my ($self, $c) = @_;

     if (    my $user = $c->req->param("user")
         and my $password = $c->req->param("password") )
         if ( $c->login( $user, $password ) ) {
              $c->res->body( "hello " . $c->user->name );
         } else {
            # login incorrect
     else {
         # invalid form input

  sub restricted : Local {
     my ( $self, $c ) = @_;

       unless $c->check_user_roles( "admin" );

     # do something restricted here

More information