phil
2009-Jan-13 09:28 UTC
posting to rails app from another process - authenticity problems
Hi, I am trying to post some data to our existing Rails application from a seperate java application. I am running into the problem of not having a valid authenticity token. How can I get around this? The java app is not totally under our control so I don''t think I can add stuff like session handling to it (and I shouldn''t have to!). Anyone have experience with this? Thanks! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Simon Macneall
2009-Jan-13 10:05 UTC
Re: posting to rails app from another process - authenticity problems
Hi, Put protect_from_forgery :except => :index at the top of your controller, where :index is your action. Cheers Simon On Tue, 13 Jan 2009 18:28:28 +0900, phil <phil-o0Q4Q1ys/oVBDgjK7y7TUQ@public.gmane.org> wrote:> > Hi, > I am trying to post some data to our existing Rails application from a > seperate java application. I am running into the problem of not having > a valid authenticity token. How can I get around this? > The java app is not totally under our control so I don''t think I can > add stuff like session handling to it (and I shouldn''t have to!). > > Anyone have experience with this? > > Thanks! > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
phil
2009-Jan-13 11:08 UTC
Re: posting to rails app from another process - authenticity problems
isn''t that a security hole? Is there a way around this with some sort of authentication on the method? (http basic for instance)? Could I do what you suggest but then also code the method to use that? Sorry - this kind of thing is new to me! On Jan 13, 11:05 am, "Simon Macneall" <macne...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi, > > Put protect_from_forgery :except => :index at the top of your controller, > where :index is your action. > > Cheers > Simon > > On Tue, 13 Jan 2009 18:28:28 +0900, phil <p...-o0Q4Q1ys/oVBDgjK7y7TUQ@public.gmane.org> wrote: > > > Hi, > > I am trying to post some data to our existing Rails application from a > > seperate java application. I am running into the problem of not having > > a valid authenticity token. How can I get around this? > > The java app is not totally under our control so I don''t think I can > > add stuff like session handling to it (and I shouldn''t have to!). > > > Anyone have experience with this? > > > Thanks!--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2009-Jan-13 12:16 UTC
Re: posting to rails app from another process - authenticity problems
On 13 Jan 2009, at 11:08, phil wrote:> > isn''t that a security hole? > Is there a way around this with some sort of authentication on the > method? (http basic for instance)? > Could I do what you suggest but then also code the method to use that? >You''re not going to want to have crsf tokens and what not for an api. It doesn''t make any sense. Use http basic, restrict it to requests from the internal network, use api tokens etc... etc... The world is your oyster. Fred> Sorry - this kind of thing is new to me! > > On Jan 13, 11:05 am, "Simon Macneall" <macne...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> Hi, >> >> Put protect_from_forgery :except => :index at the top of your >> controller, >> where :index is your action. >> >> Cheers >> Simon >> >> On Tue, 13 Jan 2009 18:28:28 +0900, phil <p...-o0Q4Q1ys/oVBDgjK7y7TUQ@public.gmane.org> wrote: >> >>> Hi, >>> I am trying to post some data to our existing Rails application >>> from a >>> seperate java application. I am running into the problem of not >>> having >>> a valid authenticity token. How can I get around this? >>> The java app is not totally under our control so I don''t think I can >>> add stuff like session handling to it (and I shouldn''t have to!). >> >>> Anyone have experience with this? >> >>> Thanks! > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
phil
2009-Jan-13 13:20 UTC
Re: posting to rails app from another process - authenticity problems
Sorry... what? Your answer is somewhat cryptic... Are you recommending http basic? On Jan 13, 1:16 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On 13 Jan 2009, at 11:08, phil wrote: > > > > > isn''t that a security hole? > > Is there a way around this with some sort of authentication on the > > method? (http basic for instance)? > > Could I do what you suggest but then also code the method to use that? > > You''re not going to want to have crsf tokens and what not for an api. > It doesn''t make any sense. Use http basic, restrict it to requests > from the internal network, use api tokens etc... etc... > The world is your oyster. > > Fred > > > Sorry - this kind of thing is new to me! > > > On Jan 13, 11:05 am, "Simon Macneall" <macne...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > >> Hi, > > >> Put protect_from_forgery :except => :index at the top of your > >> controller, > >> where :index is your action. > > >> Cheers > >> Simon > > >> On Tue, 13 Jan 2009 18:28:28 +0900, phil <p...-o0Q4Q1ys/oVBDgjK7y7TUQ@public.gmane.org> wrote: > > >>> Hi, > >>> I am trying to post some data to our existing Rails application > >>> from a > >>> seperate java application. I am running into the problem of not > >>> having > >>> a valid authenticity token. How can I get around this? > >>> The java app is not totally under our control so I don''t think I can > >>> add stuff like session handling to it (and I shouldn''t have to!). > > >>> Anyone have experience with this? > > >>> Thanks!--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
MaD
2009-Jan-13 13:35 UTC
Re: posting to rails app from another process - authenticity problems
to make that clearer: On 13 Jan., 14:20, phil <p...-o0Q4Q1ys/oVBDgjK7y7TUQ@public.gmane.org> wrote:> Sorry... what? Your answer is somewhat cryptic...well, you are asking> Is there a way around this with some sort of authentication on the > method?and fred tells you to go rope-skipping:> You''re not going to want to have crsf tokens and what not for an api.http://www.crsf.net if you think about it, he probably meant CSRF: http://www.cgisecurity.com/csrf-faq.html and therefor: "no, there is no way around this", because> It doesn''t make any sense.so, you have plenty of other possibilities to improve security:> Use http basic, restrict it to requests from the internal network, use api tokens etc... etc... > The world is your oyster.btw: no offense. i just liked fred''s typo ;-) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Andrew Timberlake
2009-Jan-13 13:38 UTC
Re: posting to rails app from another process - authenticity problems
On Tue, Jan 13, 2009 at 3:20 PM, phil <phil-o0Q4Q1ys/oVBDgjK7y7TUQ@public.gmane.org> wrote:> > Sorry... what? Your answer is somewhat cryptic... > > Are you recommending http basic? > > On Jan 13, 1:16 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > wrote: > > On 13 Jan 2009, at 11:08, phil wrote: > > > > > isn''t that a security hole? > > > Is there a way around this with some sort of authentication on the > > > method? (http basic for instance)? > > > Could I do what you suggest but then also code the method to use that? > > > > You''re not going to want to have crsf tokens and what not for an api. > > It doesn''t make any sense. Use http basic, restrict it to requests > > from the internal network, use api tokens etc... etc... > > The world is your oyster. > > > > Fred > > > >request forgery protection is to protect against things like cross-site scripting. For an API, you should probably be protecting requests via an authentication method which could include http basic authentication, you could also use an API token where a unique (to the user of the API) token is sent with every request. -- Andrew Timberlake http://ramblingsonrails.com http://www.linkedin.com/in/andrewtimberlake "I have never let my schooling interfere with my education" - Mark Twain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
phil
2009-Jan-13 14:00 UTC
Re: posting to rails app from another process - authenticity problems
thanks guys! I found this interesting post that seems to address exactly what I need: http://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_for_a_rails_app/ On Jan 13, 2:38 pm, "Andrew Timberlake" <and...-642hCh26+Dt3UeSHeRwt+FaTQe2KTcn/@public.gmane.org> wrote:> On Tue, Jan 13, 2009 at 3:20 PM, phil <p...-o0Q4Q1ys/oVBDgjK7y7TUQ@public.gmane.org> wrote: > > > Sorry... what? Your answer is somewhat cryptic... > > > Are you recommending http basic? > > > On Jan 13, 1:16 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > > wrote: > > > On 13 Jan 2009, at 11:08, phil wrote: > > > > > isn''t that a security hole? > > > > Is there a way around this with some sort of authentication on the > > > > method? (http basic for instance)? > > > > Could I do what you suggest but then also code the method to use that? > > > > You''re not going to want to have crsf tokens and what not for an api. > > > It doesn''t make any sense. Use http basic, restrict it to requests > > > from the internal network, use api tokens etc... etc... > > > The world is your oyster. > > > > Fred > > request forgery protection is to protect against things like cross-site > scripting. > For an API, you should probably be protecting requests via an authentication > method which could include http basic authentication, you could also use an > API token where a unique (to the user of the API) token is sent with every > request. > > -- > Andrew Timberlakehttp://ramblingsonrails.comhttp://www.linkedin.com/in/andrewtimberlake > > "I have never let my schooling interfere with my education" - Mark Twain--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---