Re: how to encrypt the password/login for the blog.rb example?
2008/2/25, Albert Ng [EMAIL PROTECTED]: I'll keep that in mind. As an aside, using this gem, how would I go about changing the user without closing the browser or raising «Unauthorized»? That last pops up a log-in window that can't authorize (have to press escape). There is no perfect solution. Here is what I use in jQuery : // idea from : http://nanodocumet.homedns.org/rest/ $('#header A.disconnect').click(function() { try { if ($.browser.msie) { // IE clear HTTP Authentication document.execCommand(ClearAuthenticationCache); } else { var xhr = new XMLHttpRequest(); xhr.open(GET, /logout, true, logout, logout); xhr.send(null); xhr.abort(); } } catch(e) { error(e) } }) - * the /logout url should respond Unauthorized for the logout:logout credential * the xhr.open is called with async to true, otherwise the browser shows the login window -- Cheers, Jonas ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: how to encrypt the password/login for the blog.rb example?
On Feb 23, 2008, at 7:10 PM, Brendan Taylor wrote: I've attached a module for doing digest auth with Camping. It uses the httpauth gem. You have to take care when using httpauth because it doesn't do any internal validation of the digest authorization request, so I think it might be vulnerable to replay attacks or something. Manfred ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: how to encrypt the password/login for the blog.rb example?
On Feb 25, 2008, at 2:21 PM, Albert Ng wrote: I'll keep that in mind. As an aside, using this gem, how would I go about changing the user without closing the browser or raising «Unauthorized»? That last pops up a log-in window that can't authorize (have to press escape). You can't. Browsers really really really should include a logout button, and they don't. File bugs with me! ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: how to encrypt the password/login for the blog.rb example?
On Mon, Feb 25, 2008 at 6:24 PM, Aria Stewart [EMAIL PROTECTED] wrote: On Feb 25, 2008, at 2:21 PM, Albert Ng wrote: I'll keep that in mind. As an aside, using this gem, how would I go about changing the user without closing the browser or raising «Unauthorized»? That last pops up a log-in window that can't authorize (have to press escape). You can't. Browsers really really really should include a logout button, and they don't. File bugs with me! :) After cursing at @state, wondering why it wasn't saving before I «raise Unauthorized» (for 3 hours *rolleyes*) , I've finally gotten the expected behavior by creating a «Loginstate» table that belongs to «User», calling save explicitly, and working some logic with that. It's horribly expensive on the database, but it's ok for my purposes, because the app is only accessible locally. Another thing is that I changed password_for_user to record_for_user, as I'm using @user for an AR record, and the gem kept turning it into a string :P P.S. http://code.whytheluckystiff.net/camping/ticket/129 is very annoying, they changed mongrel/camping again (for the worse) Module Ctd:Models class Loginstate Base belongs_to :users end --- create_table :ctd_loginstates do |t| t.column :user_id, :integer, :null = false t.column :reauthenticate, :boolean, :default = false end user.create_loginstate --- Module Ctd:Controlers class CloseSession def get authenticate @user.loginstate.reauthenticate = true @user.loginstate.save redirect R(Index) end end --- module Ctd include Camping::DigestAuth REALM = ctd module_function def record_for_user(username) include Ctd::Models user = User.find( :first, :conditions = ['username = ?', username]) user = User.find( :first, :conditions = ['username = ?', 'dummy']) unless user if user.loginstate.reauthenticate == true user.loginstate.reauthenticate = false user.loginstate.save raise Unauthorized end if user return user end end ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: how to encrypt the password/login for the blog.rb example?
On Fri, Feb 22, 2008 at 07:39:59PM +0100, Manfred Stienstra wrote: On Feb 22, 2008, at 7:28 PM, Albert Ng wrote: looking at the blog.rb example, I see a very nice example of authentication, but the username/password is transmitted in clear text form My question then is, Is there an easy way of encrypting that information? Well, the easiest way is to do logins over SSL. A second option could be HTTP Digest Authentication, but browser support for that is flackey to say the least. I've been using Digest myself, can't say I've run into any problems with browser support. Browser UI for it isn't great, of course. I've attached a module for doing digest auth with Camping. It uses the httpauth gem. Use it something like this: Camping.goes :Foo module Foo include Camping::DigestAuth REALM = foo module_function def password_for_user(username) # returns the correct password for user username # or nil if the user doesn't exist end end At the beginning of every controller method you want to be authenticated, call the 'authenticate' method. require httpauth module Camping module DigestAuth include HTTPAuth::Digest class Unauthorized RuntimeError; end # call this at the start of methods that require authentication def authenticate raise Unauthorized unless @user end def service(*a) app = Kernel.const_get(self.class.name.gsub(/^(\w+)::.+$/, '\1')) auth_h = @env[HTTP_AUTHORIZATION] begin if auth_h credentials = Credentials.from_header(auth_h) user = credentials.h[:username] begin pass = app.password_for_user(user) rescue NameError raise define #password_for_user on your app module end if pass and credentials.validate(:password = pass, :method = @method.upcase) @user = user auth_info = AuthenticationInfo.from_credentials credentials @headers[Authentication-Info] = auth_info.to_header end end rescue HTTPAuth::UnwellformedHeader # they probably sent eg. a Basic Authenticate header # just ignore it instead of exploding end super(*a) rescue Unauthorized @status = 401 challenge = Challenge.new :realm = app::REALM, :qop = [auth] @headers[WWW-Authenticate] = challenge.to_header @body = authentication_failed self end # override this for a nicer error message def authentication_failed @headers[Content-Type] = text/plain you are not authorized. end end end pgpXyWjZylgl6.pgp Description: PGP signature ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list
Re: how to encrypt the password/login for the blog.rb example?
On Feb 22, 2008, at 7:28 PM, Albert Ng wrote: looking at the blog.rb example, I see a very nice example of authentication, but the username/password is transmitted in clear text form My question then is, Is there an easy way of encrypting that information? Well, the easiest way is to do logins over SSL. A second option could be HTTP Digest Authentication, but browser support for that is flackey to say the least. You can try digest auth, it's in Apache and probably in other webservers. If not, will I have to go the https way with apache, or is there a ruby http server that can do that? WEBRick can do SSL, see http://www.webrick.org/ Manfred ___ Camping-list mailing list Camping-list@rubyforge.org http://rubyforge.org/mailman/listinfo/camping-list