Re: [Wtr-general] simple solution for basic authentication
> > It still might be interesting to prove that Win32::IE::Mechanize > > doesn't work on Chris' site. > > > This was what i was digging to get from you (Namely a specific request > for what additional research you wanted to see). I agree that this would > be interesting. I misunderstood. I did indeed read WWW::Mechanize for IE::Mechanize. -Chris ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
Danny R. Faught wrote: >>> Maybe doing the GUI automation isn't such a bad solution. But let's >>> see if IE gives us this password setting mechanism before we give up. >>> >>> >> How would we do this? I feel like i've already done this, but i'm not >> quite sure if you have something specific in mind. >> > > You mean GUI automation? No. What i meant was i thought we'd already investigated whether IE gives us a decent password setting mechanism. (It seems like it doesn't.) I agree that Watir lacks a reliable solution to the general problem. It seems like we will have to go with way of directly handling the password pop ups. > It still might be interesting to prove that Win32::IE::Mechanize > doesn't work on Chris' site. > This was what i was digging to get from you (Namely a specific request for what additional research you wanted to see). I agree that this would be interesting. Bret ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
Chris McMahon wrote: >> Given the conclusion about how IE's navigate method is flawed means that >> the authentication in Win32::IE::Mechanize is also broken for pages that >> contain elements that are protected by authentication. >> > > This is not true. Mechanize authenticates fine-- Mech itself is a > useragent and has nothing to do with IE. (I've got Mechanize scripts > that authenticate nicely automatically every night.) > I think we have some crossed wires here. One person is talking about IE::Mechanize (a browser driver, like Watir) and the other is talking about Mechanize (a protocol driver). ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
On 8/4/06, Danny R. Faught <[EMAIL PROTECTED]> wrote: > One person I talked to recently hypothesized that IE intentionally makes it > difficult to automate the authentication dialog in order to discourage > hackers from using a brute force attack to crack passwords. Seems silly now > that most authentication is done within an easily automatable html form. Basic Authentication isn't really about security, though. The user/pass are trivially encrypted and very easy to sniff. It's more of a "are you sure you need to be here" gateway. -Chris ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
One person I talked to recently hypothesized that IE intentionally makes it difficult to automate the authentication dialog in order to discourage hackers from using a brute force attack to crack passwords. Seems silly now that most authentication is done within an easily automatable html form. Reminds me of the Unix passwd utility, which requires a specialized tool to automate, since it doesn't work with simple input redirection. If only with IE it were as simple as running an "expect" script. :-) -- Danny R. Faught Tejas Software Consulting http://tejasconsulting.com/ ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
> Given the conclusion about how IE's navigate method is flawed means that > the authentication in Win32::IE::Mechanize is also broken for pages that > contain elements that are protected by authentication. This is not true. Mechanize authenticates fine-- Mech itself is a useragent and has nothing to do with IE. (I've got Mechanize scripts that authenticate nicely automatically every night.) The issue seems to be how Watir goes about instructing IE to handle pages protected by Basic Auth. Or else the issue is how IE does or does not handle Auth requests from drivers (NOT useragents) like Watir. I lean toward the bug-in-IE theory, but I don't have proof to back that up. Crank up a proxy like tcptrace and watch the traffic for some of these transactions. BTW, I prefer Win32::GuiTest to AutoIT, but I usually just avoid dealing with popups at all if I can help it. -Chris ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
>> Maybe doing the GUI automation isn't such a bad solution. But let's >> see if IE gives us this password setting mechanism before we give up. >> >How would we do this? I feel like i've already done this, but i'm not >quite sure if you have something specific in mind. You mean GUI automation? I've seen discussions on this list about a couple of different tools for generic GUI automation, including AutoIT. I haven't explored them myself, though I've heard good things about AutoIT. I have looked at Samie and saw that it has some code that uses Perl's Win32::GuiTest library to deal with this dialog, though the code in Samie that calls it needs a lot more work in order to be productized. Given the conclusion about how IE's navigate method is flawed means that the authentication in Win32::IE::Mechanize is also broken for pages that contain elements that are protected by authentication. It looks like this authentication code was copied from LWP::UserAgent, which gives the user control over each individual element because it's not a browser-based library, and thus wouldn't necessily have the problem. It still might be interesting to prove that Win32::IE::Mechanize doesn't work on Chris' site. -Danny ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
Thanks to Danny and Chris for the research on this topic. Danny R. Faught wrote: > Maybe doing the GUI automation isn't such a bad solution. But let's > see if IE gives us this password setting mechanism before we give up. > How would we do this? I feel like i've already done this, but i'm not quite sure if you have something specific in mind. Bret ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
On 8/3/06, Bret Pettichord <[EMAIL PROTECTED]> wrote: > Did we get any closure on this issue? Danny? Has any one else confirmed > Chris's results? My working hypothesis is that Danny's server only has Basic Auth in place for the first outer document presented to the user, while my server has Basic Auth in place for every document on the server. Therefore the goto() hack works for Danny by accident, but I showed that goto() does not and will not emulate IE behavior when the user actually fills in a Basic Auth popup manually. The description of the behavior on my blog page still holds: http://chrismcmahonsblog.blogspot.com/2006/05/internet-explorer-basic-authorization.html So it's a nice hack to know about if you have Basic Auth in place for only one document, but it won't Do What You Mean if you stick it in Watir generally. -Chris ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
Did we get any closure on this issue? Danny? Has any one else confirmed Chris's results?BretOn 7/31/06, Chris McMahon < [EMAIL PROTECTED]> wrote:> This is working for a site that's a huge mess of nested frames plus a > swarm of small js, image, and css files, etc. I noticed that you> hardcoded the base64 encoding of the credentials. Did you try to do it> by doing the encoding on the fly?Didn't try that, I didn't think it would have an effect. I'll go back and try again. And this works on all your frames and links? Myexperience was that the outer page was OK, but the credentials didn'tallow access to other aspects of the page, like frames and links.-Chris ___Wtr-general mailing listWtr-general@rubyforge.orghttp://rubyforge.org/mailman/listinfo/wtr-general ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
>> To productize it, I'd recommending adding a credentials method like >> Win32::IE::Mechanize uses. > >I don't understand the $realm argument in this API. Can you explain? Could >we drop it? The realm is described here - http://httpd.apache.org/docs/1.3/howto/auth.html. It corresponds to the AuthName element of the .htaccess file, and the realm is shown in the login dialog in the browser (in IE 6, it's just above the User name field). I suppose the realm can be used to designate different login accounts for different areas of a web site. For a thorough implementation, Watir should track the realm like Win32::IE::Mechanize does, which only adds a small amount of complexity. Now that I think about it, I'm not sure how the browser knows whether each new URL request is within the same realm or not. However, since the realm matching seems to occur only on the client side, a quick and dirty implementation that ignores the realm (like my sample code does) would work for the most common cases where only one login is required for a site. -Danny ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
On 7/31/06, Danny R. Faught <[EMAIL PROTECTED]> wrote: To productize it, I'd recommending adding a credentials method likeWin32::IE::Mechanize uses.I don't understand the $realm argument in this API. Can you explain? Could we drop it?Bret ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
On 7/31/06, Bret Pettichord <[EMAIL PROTECTED]> wrote: > On 7/31/06, Danny R. Faught <[EMAIL PROTECTED]> wrote: > > > To productize it, I'd recommending adding a credentials method like > > Win32::IE::Mechanize uses. > > > I don't understand the $realm argument in this API. Can you explain? Could > we drop it? "realm" is the value of the message presented to the user on the popup. The value is widely disregarded as an actual means of authorization, but it's still part of the spec. -Chris ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
On 7/31/06, Danny R. Faught <[EMAIL PROTECTED]> wrote: To productize it, I'd recommending adding a credentials method likeWin32::IE::Mechanize uses.I don't understand the $realm argument in this API. Can you explain? Could we drop it?Bret ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
Chris,Could you or someone else verify whether Danny's suggestion avoids the problems you mention?If it works, i would very much like to add this to Watir.Bret On 7/31/06, Chris McMahon <[EMAIL PROTECTED]> wrote: > This is working for a site that's a huge mess of nested frames plus a> swarm of small js, image, and css files, etc. I noticed that you> hardcoded the base64 encoding of the credentials. Did you try to do it > by doing the encoding on the fly?Didn't try that, I didn't think it would have an effect. I'll go backand try again. And this works on all your frames and links? Myexperience was that the outer page was OK, but the credentials didn't allow access to other aspects of the page, like frames and links.-Chris___Wtr-general mailing listWtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
> This is working for a site that's a huge mess of nested frames plus a > swarm of small js, image, and css files, etc. I noticed that you > hardcoded the base64 encoding of the credentials. Did you try to do it > by doing the encoding on the fly? Didn't try that, I didn't think it would have an effect. I'll go back and try again. And this works on all your frames and links? My experience was that the outer page was OK, but the credentials didn't allow access to other aspects of the page, like frames and links. -Chris ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
> I tried and failed, but I thought my problem was in the way IE handled the data. I'd love to be proven wrong: It works for me, hacking watir.rb with hardcoded credentials like so - def goto( url ) user = "username" pass = "password" auth = "Authorization: Basic " + Base64.encode64(user + ":" + pass) + "\015\012" @ie.navigate(url, nil, nil, nil, auth) wait() sleep 0.2 return @down_load_time end I added a "require 'base64'" near the top. This is working for a site that's a huge mess of nested frames plus a swarm of small js, image, and css files, etc. I noticed that you hardcoded the base64 encoding of the credentials. Did you try to do it by doing the encoding on the fly? To productize it, I'd recommending adding a credentials method like Win32::IE::Mechanize uses. -Danny ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
> Has anyone else tried to implement this with Watir? If not I may try it > myself. Here's the core of it in IE::Mechanize where it formulates the > Authorization header, really simple stuff: > > sub __authorization_basic { > my( $user, $pass ) = @_; > defined $user && defined $pass or return; > > require MIME::Base64; > return "Authorization: Basic " . >MIME::Base64::encode_base64( "$user:$pass" ) . >"\015\012"; > } I tried and failed, but I thought my problem was in the way IE handled the data. I'd love to be proven wrong: http://chrismcmahonsblog.blogspot.com/2006/05/internet-explorer-basic-authorization.html ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
Re: [Wtr-general] simple solution for basic authentication
I think I saw some chatter on this a couple months back -- check the archives in early May or do a search for Authentication. http://www.mail-archive.com/wtr-general%40rubyforge.org/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Danny > R. Faught > Sent: Friday, July 28, 2006 3:34 PM > To: wtr-general@rubyforge.org > Subject: [Wtr-general] simple solution for basic authentication > > Howdy folks. I find myself on a project where I want to use > a browser-based test tool to record client-side performance metrics. > After playing with several such tools again, Watir again > emerged as the tool that I was first able to get a working > script with. > > But along the way, I noticed with some amazement that Perl's > Win32::IE::Mechanize module was able to handle the basic HTTP > authentication that gives so many people headaches with other > tools. It doesn't do it by automating the dialog asking for > the login information, but rather it prevents the dialog from > appearing by submitting the credentials right from the > beginning. That means it makes one fewer transaction with > the web server (avoiding the first request that gets a 401 > response), but perhaps I can live with that. > > Has anyone else tried to implement this with Watir? If not I > may try it myself. Here's the core of it in IE::Mechanize > where it formulates the Authorization header, really simple stuff: > > sub __authorization_basic { > my( $user, $pass ) = @_; > defined $user && defined $pass or return; > > require MIME::Base64; > return "Authorization: Basic " . >MIME::Base64::encode_base64( "$user:$pass" ) . >"\015\012"; > } > ___ > Wtr-general mailing list > Wtr-general@rubyforge.org > http://rubyforge.org/mailman/listinfo/wtr-general > The content contained in this electronic message is not intended to constitute formation of a contract binding TWTC. TWTC will be contractually bound only upon execution, by an authorized officer, of a contract including agreed terms and conditions or by express application of its tariffs. This message is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone. ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general
[Wtr-general] simple solution for basic authentication
Howdy folks. I find myself on a project where I want to use a browser-based test tool to record client-side performance metrics. After playing with several such tools again, Watir again emerged as the tool that I was first able to get a working script with. But along the way, I noticed with some amazement that Perl's Win32::IE::Mechanize module was able to handle the basic HTTP authentication that gives so many people headaches with other tools. It doesn't do it by automating the dialog asking for the login information, but rather it prevents the dialog from appearing by submitting the credentials right from the beginning. That means it makes one fewer transaction with the web server (avoiding the first request that gets a 401 response), but perhaps I can live with that. Has anyone else tried to implement this with Watir? If not I may try it myself. Here's the core of it in IE::Mechanize where it formulates the Authorization header, really simple stuff: sub __authorization_basic { my( $user, $pass ) = @_; defined $user && defined $pass or return; require MIME::Base64; return "Authorization: Basic " . MIME::Base64::encode_base64( "$user:$pass" ) . "\015\012"; } ___ Wtr-general mailing list Wtr-general@rubyforge.org http://rubyforge.org/mailman/listinfo/wtr-general