HTTP Digest Authentication PUT DELETE problem. Bug ?

3 views
Skip to first unread message

greq

unread,
Mar 19, 2009, 6:47:53 PM3/19/09
to Ruby on Rails: Talk
Hi all,

I've got a problem with HTTP Digest Authentication after upgrading
Rails to 2.3.2.
It seems that it is broken for PUT and DELETE requests method.
Here is what I did:
1. Generate new rails app in rails 2.3.2
2. Added sample scaffold model Post name:string
3. Added simple HTTP Digest Authentication filter to application
controller:

|----------------code----------------- |
USERS = { 'lifo' => 'world', 'pretty' => 'please', 'a' => 'b'}

before_filter :digest_authenticate

def digest_authenticate
authenticate_or_request_with_http_digest do |login|
USERS[login]
end
end
|---------------- code -----------------|


It works fine for index, new, create and show action, but for destroy
(DELETE) and update(PUT) htaccess popup apears and don't allow to
update or delete( of course for I put correct login/password data :))

Have you got also problem with this ?
I've reviewed action_pack source code and it seems that in lines:
http://github.com/rails/rails/blob/18eb80ccc7e932f9a6c00462ceaeea648631b120/actionpack/lib/action_controller/http_authentication.rb(197,198)

expected = expected_response(request.env['REQUEST_METHOD'], request.env
['REQUEST_URI'], credentials, password, password_is_ha1)
expected == credentials[:response]

there are different values generated for PUT and DELETE request
method.

Regards

Grzesiek F.

Scott Ahten

unread,
Mar 27, 2009, 4:51:10 PM3/27/09
to Ruby on Rails: Talk
I've run into the same problem. GET and POST work find, but PUT and
DELETE repeatedly asks for login information and never succeeds.

Steve Madsen

unread,
Apr 15, 2009, 9:24:40 AM4/15/09
to Ruby on Rails: Talk
This is a bug in Rails 2.3.2. I've created a Lighthouse ticket for it
(#2490) and created a patch that fixes it. It will probably help get
the fix into a release if others acknowledge the problem and can
verify my patch fixes it for them.

https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/2490-http-digest-auth-uses-wrong-request-method-for-put-delete#ticket-2490-1
Reply all
Reply to author
Forward
0 new messages