Welcome Guest | Login

Basic authentication

I'm trying to use HTTP Basic authentication in an authorization filter_before for my controllers.  It works fine on my dev machine.  On the servers here, though, it seems like none of the authorization headers are getting through!

I've logged out request.env and don't see a single header with "Authorize" or any of the variants in it.  I can only guess that it's being filtered out by FastCGI (my dev machine uses InstantRails and therefore Mongrel).

Any hints from those in the know?

Rod

2007-03-25 12:12 AM

Hmmm - paste in the relevant part of the before_filter code....this could indeed be a fastcgi issue so maybe try it on mongrel, too?  Contact support and have them open up a port for you to use temporarily to test it out.  Tell them I sent you.  

Cheers,

~William

2007-03-25 02:58 AM

Thanks for the reply, William.  Here's the code: I copied it nearly verbatim from a link in one of the how-tos.

An interesting part is the line

logger.info(request.env.inspect)

at the beginning of authenticate which gives me all the HTTP headers - none of the Authenticate variations are present in the hash, so there's getting stripped somewhere.  I know my browser is setting them since I get them on my dev machine being driven with the same browser.

def authorize(realm='Web Password', errormessage="Could't authenticate you")
   logger.info(request.env.inspect)
   username, passwd = get_auth_data
   # check if authorized
   # try to get user
   if user = User.authenticate(username, passwd)
     # user exists and password is correct ... horray!
     if user.methods.include? 'lastlogin'
       # note last login
       session['lastlogin'] = user.lastlogin
       user.last.login = Time.now
       user.save()  
     end            
     session["User.id"] = user.email
   else
     # the user does not exist or the password was wrong
     response.headers["Status"] = "Unauthorized"
     response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
     render :text => errormessage, :status => 401 and return      
   end
 end

 private
 def get_auth_data
   user, pass = '', ''
   # extract authorisation credentials
   if request.env.has_key? 'X-HTTP_AUTHORIZATION'
     # try to get it where mod_rewrite might have put it
     authdata = request.env['X-HTTP_AUTHORIZATION'].to_s.split
   elsif request.env.has_key? 'Authorization'
     # for Apace/mod_fastcgi with -pass-header Authorization
     authdata = request.env['Authorization'].to_s.split
   elsif request.env.has_key? 'HTTP_AUTHORIZATION'
     # this is the regular location
     authdata = request.env['HTTP_AUTHORIZATION'].to_s.split  
   elsif request.env.has_key? 'Authorization'
     # this is the regular location, for Apache 2
     authdata = @request.env['Authorization'].to_s.split
   else user, pass = params[:userid], params[:pw]
   end

   # at the moment we only support basic authentication
   if authdata and authdata[0] == 'Basic'
     user, pass = Base64.decode64(authdata[1]).split(':')[0..1]
   end
   return [user, pass]
 end
 

2007-03-25 10:50 AM

I don't see any reason why fastcgi would strip that info, being its an application server and not a web server.  However, perhaps somewhere in the transition things are getting cut.  I'd recommend first to drop your app down to cgi for a minute (only do this temporarily); it will be slow but you might be able test if fastcgi is the culprit.

You can create a test rails app with a single controller with code to render the request.env.inspect if you don't want to do this sort of thing on your app.  It might actually be useful to parse down possible variables that could be messing things up.  

Did you contact support about testing it on mongrel?

2007-03-26 04:32 AM

Hi, William thanks for the help.  I didn't contact support yet but I probably will today.  In the meantime I'll try creating a stub application and apply basic auth to that.  We'll see.

How do I drop my app down to cgi?  We're in development, so performance isn't an issue.

2007-03-26 10:11 AM

ahh that could be part of the problem.  You should never run in development mode on a production server.  You can drop down to cgi just by removing the 'f'; that is, changing the line in your .htaccess from '...dispatch.fcgi' to '...dispatch.cgi'

2007-03-26 10:25 AM

Thanks for the tip, I'll try going to cgi and report.  

I misspoke: I'm not running in development mode on the server.  We just haven't released any software yet.

2007-03-26 05:39 PM

I am having exactly the same problem - was this ever resolved?

I am dumping the request env using:

logger.info(request.env.inspect)

and the HTTP authorization headers are not there.  This is no problem when I run locally on my laptop in development mode.

I have followed William's suggestion above to drop down from FCGI to CGI, and it doesn't do the trick.  So it's definitely not FCGI.

Please help!  Thanks,
Taylor

2008-03-12 02:25 PM

Hi, Taylor.  I never could get basic authentication to work when running Webrick, but it worked perfectly under Mongrel.  I just went to mongrel everywhere and put it behind me.

2008-03-12 02:30 PM

In public/.htaccess add

RewriteRule ^ (.* )$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]

instead of

RewriteRule ^ (.* )$ dispatch.fcgi [QSA,L]

source: http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Basic.html

2008-03-21 01:27 AM

www.agilmente.eu

Hello Guest! In order to post you must be an active client with us, please log in or sign up today!