This project is archived and is in readonly mode.
Patch to fix broken HTTP Digest Authentication
Reported by José Valim | August 8th, 2009 @ 11:56 AM | in 2.3.4
Current HTTP Digest Authentication does not work with some browser/servers combinations.
For example, Webrick uses the full REQUEST_URI, while a browser like Safari or Firefox only send the relative_uri. In this case, HTTP Digest won't work.
On the other hand, IE sends the full REQUEST_URI, so it may not work with servers like mongrel or thin.
This patch attempts to let it flexible enough to work with a different combination of servers/browsers, without changing any security rule.
I tested in "real life" with Firefox on Linux on both webrick and thin. Would be nice if some tests would be executed with Safari and IE with both servers.
For some guidance, you could follow Ryan Daigle tutorial to setup: http://ryandaigle.com/articles/2009/1/30/what-s-new-in-edge-rails-h...
Comments and changes to this ticket
-
Rizwan Reza August 8th, 2009 @ 06:08 PM
Verified
+1 This patch works in master and 2-3-stable. All tests pass.
-
-
Steve St. Martin August 8th, 2009 @ 09:20 PM
Verified
-1 This patch does not apply cleanly to master, also as poster suggests needs real world testing to ensure tests are sufficient
-
Rizwan Reza August 8th, 2009 @ 11:05 PM
Clarification: This only works in 2-3-stable.
I will see how Safari and mongrel works with this now.
-
Rizwan Reza August 8th, 2009 @ 11:18 PM
-1 This is not working correctly with Safari. It is not redirecting to Non-authorized page on wrong password input.
-
José Valim August 8th, 2009 @ 11:21 PM
Rizwan, what do you get with wrong password input? It should not redirect to somewhere, just confirm that you are getting the proper http status.
-
Elad Meidar August 9th, 2009 @ 04:18 AM
+1 Applies cleanly on 2-3-stable (tests pass), -1 fails on master.
successfully tested manually on Safari / FF on mongrel, got unauthorized status back.
-
José Valim August 9th, 2009 @ 04:00 PM
- State changed from “new” to “resolved”
- Tag changed from “2.x, 3.0, actioncontroller, bugmash” to “2.x, 3.0, actioncontroller”
-
Repository August 9th, 2009 @ 04:13 PM
(from [2d2216fadb0bb6eb6feebe697d3e7041f7d0d965]) Make http digest work with different server/browser combinations. [#3006 status:resolved]
Signed-off-by: Pratik Naik pratiknaik@gmail.com
http://github.com/rails/rails/commit/2d2216fadb0bb6eb6feebe697d3e70...
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
José Valim
Attachments
Tags
Referenced by
-
1848
Patch to fix broken HTTP Digest Authentication
I've moved the new ticket to #3006 for
bugmash purposes.
-
3006
Patch to fix broken HTTP Digest Authentication
(from [2d2216fadb0bb6eb6feebe697d3e7041f7d0d965])
Make ht...