This project is archived and is in readonly mode.
Patch to fix broken HTTP Digest Authentication
Reported by Don Parish | February 2nd, 2009 @ 09:30 PM | in 2.3.4
Found a problem while trying to use http digest authentication at http://ryandaigle.com/articles/2... The digest authentication failed using both IE and FireFox. The current implementation is using the actual URI from the request instead of the URI passed in the authentication header, which is stored in the credentials hash. It seems as if the client is responsible for the URI passed in. It could be an absolute URI, as suggested in http://tools.ietf.org/html/rfc2617, but every example I've seen, only the relative path is used.
With the attached change, the tests pass, and the digest authentication work with my test controller using IE and FireFox on Windows.
Comments and changes to this ticket
-
Don Parish February 2nd, 2009 @ 10:49 PM
- Tag changed from “authentication, bug, digest, patch” to “2.3, authentication, bug, digest, patch”
- Title changed from “HTTP Digest Authentication Broken” to “Patch to fix broken HTTP Digest Authentication”
-
-
DHH February 5th, 2009 @ 07:15 PM
- Assigned user set to “Pratik”
- Milestone cleared.
-
Don Parish February 5th, 2009 @ 11:09 PM
Updated patch to include test. This patch is also posted at #1230.
-
Repository February 16th, 2009 @ 07:24 PM
- State changed from “new” to “resolved”
(from [86d8f922828677e64892c166adf26cd421f0991a]) Fixed http digest authentication to use credentials URI passed from client. [#1848 state:resolved]
Signed-off-by: Pratik Naik pratiknaik@gmail.com http://github.com/rails/rails/co...
-
José Valim July 17th, 2009 @ 04:17 PM
HTTP digest still does not work on Rails master neither v2.3.3 on Firefox.
Apparently, this changed got lost on both, although the test is there. But since it still pass, it means that it was not testing the proper thing.
-
Pratik July 18th, 2009 @ 10:38 AM
- Milestone set to “2.3.4”
- State changed from “resolved” to “open”
-
-
-
José Valim July 19th, 2009 @ 10:17 AM
@pratik, here goes the patch.
And we have two problems:
-
Some servers, as webrick, gives the full url in REQUEST_URI. If a browser (as Safari) give the relative uri in credentials, http digest won't work.
-
And as @donparish said some browsers can give the full url in credentials, not matching if the server uses the relative uri.
The patch solves both cases by checking if the credential given is a path or full uri (i.e. if it starts with "/" or not). I've also added tests for each of those combinations.
I tested in "real life" with Firefox on Linux on both webrick and thin. Would be nice if some tests would be executed with Safari and IE with both servers.
-
-
José Valim July 19th, 2009 @ 10:20 AM
Apparently the problem with S3 and Lighthouse is not yet fixed.
Here is the patch: http://pastie.org/551062 -
José Valim August 8th, 2009 @ 11:57 AM
- State changed from “open” to “resolved”
I've moved the new ticket to #3006 for bugmash purposes.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
Don Parish
José Valim
Pratik
Attachments
Tags
Referenced by
-
1848
Patch to fix broken HTTP Digest Authentication
(from [86d8f922828677e64892c166adf26cd421f0991a]) Fixed h...
-
2000
Patch for HTTP Digest Authentication URI comparison
This patch better implements the fix I made in #1848.