Using http_auth only for XML requests

[SolidRoot]

Hi there,

First of all, great plugin for authentication!

However, I'm trying to do something a little more complex than any
tutorials I've seen and have gotten kind of stuck.

Basically, I have authentication required on a specific controller,
but for XML requests (Web Services, in particular), I want to be able
to authenticate with basic http authentication. From what I
understand, I should also probably be using a single request token.
This single request token business kind of confuses me at the moment.

So, in my UserSession class, I've got:
single_access_allowed_request_types = "application/rss+xml",
"application/atom+xml", "application/xml"

Also, I want the user to require authentication for each request they
make, but how do I force the http_auth on them if they are requesting
xml?

Right now, if I do an xml request through my browser, I still get
redirected to the login page, rather than getting an http_auth
prompt...

Help!

Thanks

[Ben Johnson]

You really can't force a type of authentication on them, because for
all intents and purposes you really shouldn't care how they
authenticate, as long as they authenticate. You want to give them as
many options as possible, because their system might be limiting them.
For example, RSS readers don't really have a cookie system, so the
single access token would work since it is built into the url as a
parameter.

For web services and retrieving XML they can use any type of
authentication. Your configuration below is for the single access
token which looks something like:

www.domain.com?user_credentials=fdsf1432423

or they can do

http://username:pass...@domain.com

I believe thats the format.

Ben Johnson
Binary Logic

W: www.binarylogic.com
E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[Ben Johnson]

After looking at it you could force a type of authentication on a
user, but it would be your own code and you could enforce it however
you want. If you are still interested in this I will go more in depth
and give some examples, but my opinion is that this should never
really be necessary. Authentication is authentication, how they decide
to authenticate is their call. You just need to make sure each method
is secure, which is what authlogic does for you.

Ben Johnson
Binary Logic

W: www.binarylogic.com
E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

On Feb 5, 2009, at 5:28 PM, SolidRoot wrote:

>

[SolidRoot]

No, you're probably right. It really doesn't matter, as long as they
can authenticate. So with that in mind, here is the problem I'm having
now:

Going to the following URL: http://login:password@localhost:3000/profiles/show/2.xml
results in me being redirected to the login action, telling me I need
to be logged in to access the page. 'login' and 'password' here are
existent logins. I read in the documentation that AuthLogic tried
http_auth as the last method, but it doesn't seem to be doing it here.
Is there some other configuration I'm missing?

By the way, thanks for the help!

Ern

On Feb 5, 5:38 pm, Ben Johnson <bjohn...@binarylogic.com> wrote:
> After looking at it you could force a type of authentication on a  
> user, but it would be your own code and you could enforce it however  
> you want. If you are still interested in this I will go more in depth  
> and give some examples, but my opinion is that this should never  
> really be necessary. Authentication is authentication, how they decide  
> to authenticate is their call. You just need to make sure each method  
> is secure, which is what authlogic does for you.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com

> E: bjohn...@binarylogic.com

[Ben Johnson]

I can't use that url because its localhost. But it work just fine, I
have successfully used basic_http_auth in one of my projects. See if
you can verify that authlogic is not picking it up, because that is
tested numerous times in the tests.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[SolidRoot]

Oh, I know you can't access it, I was just giving an example of how I
pass the username and password to the server. I just ran the AuthLogic
tests, and the only ones that fail (error really) are the ones dealing
with BCrypt. I think that's to be expected, as I haven't installed the
BCrypt gem.

require_user in the filter chain seems to be redirecting to the login
page, despite the login and password credentials being passed in the
URL like I said. Any ideas on what could be going wrong?

On Feb 7, 4:41 pm, Ben Johnson <bjohn...@binarylogic.com> wrote:
> I can't use that url because its localhost. But it work just fine, I  
> have successfully used basic_http_auth in one of my projects. See if  
> you can verify that authlogic is not picking it up, because that is  
> tested numerous times in the tests.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com

[Ben Johnson]

In the rails adapter it uses basic_http_auth, can you confirm that is
working for you?

Lastly, the login / password has to be correct to be logged in,
obviously. I know thats a dumb comment, but I want ot make sure you
are testing it with a valid login and password. Unfortunately for this
style of authentication the password has to be the raw text password.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[SolidRoot]

How can I confirm that basic_http_auth is working in the Rails
adapter?

Yup, I made sure the login and password are correct :)

On Feb 8, 3:21 am, Ben Johnson <bjohn...@binarylogic.com> wrote:
> In the rails adapter it uses basic_http_auth, can you confirm that is  
> working for you?
>
> Lastly, the login / password has to be correct to be logged in,  
> obviously. I know thats a dumb comment, but I want ot make sure you  
> are testing it with a valid login and password. Unfortunately for this  
> style of authentication the password has to be the raw text password.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com

[Ben Johnson]

Look up the basic_http_auth function i rails. It's very simple to
implement. I believe you just do a before filter and do something like

def check_auth
result = authenticate_with_http_basic do |username, password|
u = User.find_by_username(username)
u && u.valid_password?(password)
end
if !result
# do whatever you want here
end
end

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[SolidRoot]

Right. Yeah, I've tried that before and it works just fine. I just
thought it was bad form since Authlogic seems to support it for free.
Also, I'm not sure how I would authenticate them properly using the
Authlogic framework if I just did it manually.

On Feb 8, 1:42 pm, Ben Johnson <bjohn...@binarylogic.com> wrote:
> Look up the basic_http_auth function i rails. It's very simple to  
> implement. I believe you just do a before filter and do something like
>
> def check_auth
> result = authenticate_with_http_basic do |username, password|
>         u = User.find_by_username(username)
>         u && u.valid_password?(password)
> end
> if !result
> # do whatever you want here
> end
> end
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com

[Ben Johnson]

No, I don't want you to do it manually, I just wanted to confirm that
it works in your app, because thats what Authlogic does for you.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[SolidRoot]

Oh, okay. Like I said though, AuthLogic doesn't seem to be catching
that case for me. Even with the login and password in the URL, I still
get booted to the user_session/new action.

On Feb 8, 4:39 pm, Ben Johnson <bjohn...@binarylogic.com> wrote:
> No, I don't want you to do it manually, I just wanted to confirm that  
> it works in your app, because thats what Authlogic does for you.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com

[SolidRoot]

Hi Ben,

I'm still kind of stuck on this. Even when I provide the login and
password the typical http auth way, I am not granted access. This is
for any type of request, not just XML. Is there something I am
missing?

Thanks

[Ben Johnson]

I'll run some tests on my authlogic example and see if I can duplicate
it, but I am certain it works. It sounds like something fishy with
your app, but I'll make sure my end is solid.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[SolidRoot]

Thanks, I appreciate it. I'm trying to figure out if it can be
something on end, but nothing sticks out at me. I did pretty much
everything by the book, by which I mean your tutorial.

On Feb 16, 12:50 am, Ben Johnson <bjohn...@binarylogic.com> wrote:
> I'll run some tests on my authlogic example and see if I can duplicate  
> it, but I am certain it works. It sounds like something fishy with  
> your app, but I'll make sure my end is solid.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com

[Ben Johnson]

Hi There,

I did some tests and also could not get it to work. This seems to be a
rails bug with the authenticate_with_http_basic method. If I call
authenticate_or_request_with_http_basic, it works just fine, but the
downside is that it pops up the username and password if you don't
provide it in the url, which is wrong. I'm going to see what the issue
is and see if I can make a work around.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[Ben Johnson]

I looked deeper into this. It appears there is no support for this,
maybe this is because of rack? Here are the headers that serve as a
flag that http authentication is being attempted:

request.env['HTTP_AUTHORIZATION'] ||
request.env['X-HTTP_AUTHORIZATION'] ||
request.env['X_HTTP_AUTHORIZATION'] ||
request.env['REDIRECT_X_HTTP_AUTHORIZATION']

None of those are set, at all. I looked through all of the headers and
there is nothing of this sort. So I'm not sure what the deal is. Your
best bet is to just use the single_access_token as a way to
authenticate.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[SolidRoot]

Hmm really. So this is more of a Rails problem then?

I'm not sure if the single_access_token is a viable option anymore,
though. From what I understand, I would generate the token, somehow
get it to the user, and they would be authenticated one time based on
that unique token, right?

But what I need is a way to allow restricting access to a RESTful web
service through some sort of basic authentication. Would that
accomplish this?

On Feb 17, 3:13 am, Ben Johnson <bjohn...@binarylogic.com> wrote:
> I looked deeper into this. It appears there is no support for this,  
> maybe this is because of rack? Here are the headers that serve as a  
> flag that http authentication is being attempted:
>
> request.env['HTTP_AUTHORIZATION']   ||
> request.env['X-HTTP_AUTHORIZATION'] ||
> request.env['X_HTTP_AUTHORIZATION'] ||
> request.env['REDIRECT_X_HTTP_AUTHORIZATION']
>
> None of those are set, at all. I looked through all of the headers and  
> there is nothing of this sort. So I'm not sure what the deal is. Your  
> best bet is to just use the single_access_token as a way to  
> authenticate.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com

[Ben Johnson]

Yes, that is the whole point of the single access token, it functions
the same way as supplying the username and pw in the url. This is
probably a better option because the password is not displayed
plainly in the url.

Also, yes, this seems to be an issue with rails. All of the other
authentication solutions try to authentic with basic http auth the
same way.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[SolidRoot]

Here's the thing though: I need the user to be able to access the web
service using their login and password. From what I understand, the
single access token is something like a string of random characters
that you might get as a confirmation for signing up to a service,
right?

On Feb 17, 2:58 pm, Ben Johnson <bjohn...@binarylogic.com> wrote:
> Yes, that is the whole point of the single access token, it functions  
> the same way as supplying the username and pw in the url. This is  
> probably a  better option because the password is not displayed  
> plainly in the url.
>
> Also, yes, this seems to be an issue with rails. All of the other  
> authentication solutions try to authentic with basic http auth the  
> same way.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com

> ...
>
> read more »

[Ben Johnson]

The single access token is the same thing. You have to use something
like this for private RSS feeds, because a lot of RSS readers won't
support basic http auth. Anyways, that token is unique to their
account, just like their username and password. If they log in with
this token their session is not persisted, meaning the have to provide
it for every call. It only grants your a single one time access, which
is why its called a single access token.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[SolidRoot]

Right, so I don't think it will do what I want. I guess I have to find
a way to get http_auth working...

You are definitely right about it being broken in Rails; I just made a
new app with just this simple controller:

class MainController < ApplicationController
before_filter :authenticate

def index
end

protected

def authenticate
authenticate_or_request_with_http_basic do |u, p|
u == 'login' and p == 'password'
end
end

end

I get through every time, not asked for credentials or anything! I
think this should definitely work, as it's the most basic example of
http_auth I've seen...

On Feb 18, 5:19 pm, Ben Johnson <bjohn...@binarylogic.com> wrote:
> The single access token is the same thing. You have to use something  
> like this for private RSS feeds, because a lot of RSS readers won't  
> support basic http auth. Anyways, that token is unique to their  
> account, just like their username and password. If they log in with  
> this token their session is not persisted, meaning the have to provide  
> it for every call. It only grants your a single one time access, which  
> is why its called a single access token.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com

> ...
>
> read more »

[SolidRoot]

Actually, nevermind. That code DOES work. What was happening there was
my login and password were being atomatically saved, so I wasn't
seeing the prompt...

So what's the verdict on basic_http_auth in Authlogic? What has to be
done to make it work?

> ...
>
> read more »

[Ben Johnson]

Honestly, I can't think of anything. The authenticate_with_http_basic
function should work, but it doesnt. The only way it does if is you
call authenticate_or_request_with_http_basic, which will prompt the
user for their username and password if they are not logged in, which
is not what we want.

I really think something has changed somewhere, or this is a bug in
rails, because I can't get authenticate_with_http_basic to work even
when I implement it in a controller all by itself.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

[Ben Johnson]

Also, that is the function I should be using. It's the same function
restful_auth uses and all of the tutorials, and the code gets
executed, I have multiple tests in place to make sure of this.

Ben Johnson
Binary Logic

W: www.binarylogic.com

E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018

On Feb 20, 2009, at 4:41 PM, SolidRoot wrote:

>

[Si]

Hi,

I'm facing the same issue, and I thought it was because my
require_user in my application_controller.rb came from the basic HTML
only tutorial, and was this:

def require_user
unless current_user
store_location
flash[:notice] = "You must be logged in to access this page"
redirect_to new_user_session_url
return false
end
end

I would think this ignores the format type of the request and so all
authentication requests are dealt with by redirecting to the html page
at new_user_session_url. However, shouldn't XML requests get back a
401 code with WWW-Authenticate header? The client can then respond by
sending the Authorization header with a re-request. Something similar
to this (return false not needed in latest Rails):

accepts.xml do
headers["WWW-Authenticate"] = %(Basic realm="Web Password")
render :text => "Could't authenticate you", :status => 401
end

What I'm confused about, is the best practice for all this. This
thread is suggesting that authentication happens automatically, but
don't we still have to manually code up the different ways to request
authorization, using a require_user filter (or similar)? I found
nothing via grep to indicate that authlogic has code to do this for
us.

Many thanks,
Si

[Si]

This definitely prompts for basic auth, but isn't authenticating when
the browser provides the Authorization => Basic
Y2FuZGlkYXRlOnBpZW1hbg== header back to the server on re-request.

def require_user
unless current_user
respond_to do |format|
format.html do

store_location
flash[:notice] = "You must be logged in to access this
page"
redirect_to new_user_session_url

end
format.any(:xml, :json) do
request_http_basic_authentication
end
end
end
end

[Si]

This seems to work as expected, but I'm not sure how Authlogic is
supposed to be involved in this Basic auth. Any suggestions you can
make Ben would be much appreciated.

def require_user
unless current_user
respond_to do |format|
format.html do
store_location
flash[:notice] = "You must be logged in to access this
page"
redirect_to new_user_session_url
end
format.any(:xml, :json) do

authenticate_or_request_with_http_basic do |username,
password|
u = User.find_by_login(username)
u && u.valid_password?(password)
end
end
end
end
end

[Si]

This any good? Uses the Authlogic authentication method.

def require_user
unless current_user
respond_to do |format|
format.html do
store_location
flash[:notice] = "You must be logged in to access this
page"
redirect_to new_user_session_url
end
format.any(:xml, :json) do
authenticate_or_request_with_http_basic do |username,
password|

@user_session = UserSession.new(:login =>
username, :password => password)
@user_session.save

[Si]

Nice design. I now see that UserSession.find (in application
controller) will pick up the HTTP Basic auth credentials
automatically, and attempt a login.

I got Authlogic::Session::HttpAuth's persist_by_http_auth working
here. It's a bit odd, but using the underlying module code that
authenticate_with_http_basic would have used, results in success:

ActionController::HttpAuthentication::Basic.authenticate
(controller) do |login, password|
if !login.blank? && !password.blank?
send("#{login_field}=", login)
send("#{password_field}=", password)
return valid?
end
end

(am using request_http_basic_authentication to dish out 401s to
clients again, instead of authenticate_or_request_with_http_basic)

[Si]

Ah,
Authlogic::ControllerAdapters::RailsAdapter.authenticate_with_http_basic
is yielding [nil, nil] to the block, instead of running
ActionController::HttpAuthentication::Basic.authenticate(self,
&block), hence login and password are blank in persist_by_http_auth

[Ben Johnson]

Update from the repo, I fixed that a while ago.

Ben Johnson
Binary Logic

W: www.binarylogic.com
E: bjoh...@binarylogic.com

1430 Broadway
7th Floor - NECO
New York, NY 10018