So, I''m working on adding iCal support to my app. Since I want to restrict users to their own calendars, form-based authentication isn''t going to work, so I''m using the Basic HTTP Authorization from this page - http://blogs.23.nu/c0re/stories/7409/ Everything works fine in my dev machine, but on the server (Site5), I get the login prompt ad infinitum. Has anyone run into this? Have other suggestions I could try? Chasing down another theory, I noticed that "HTTP_AUTHORIZATION" doesn''t appear in request.en -- is it possible/likely that''s the source of my problem? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060429/2b03b4ee/attachment.html
It looks like this is the issue: http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticateWithHTTP> If you are using Apache and mod_fastcgi, this method will likely not work > out of the box. Apache does not allow CGI scripts access to HTTP > authorization headers by default. You will need to configure FastCGI to pass > the Authorization header to your scripts <http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html#FastCgiServer> . > Short version: add |-pass-header Authorization| to the FastCgiServer startup > directive, or |FastCgiConfig -pass-header Authorization|, for Apache 2, or > |-pass-header HTTP_AUTHORIZATION| for Apache 1. For this, you will need > access to apache''s config file.I''ve tried the suggested modification to htaccess (eg, E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization}), but I get an odd request.env: "REDIRECT_X_HTTP_AUTHORIZATION"=>"" On 4/29/06, Josh on Rails <rails@thewehners.net> wrote:> > So, I''m working on adding iCal support to my app. Since I want to restrict users to their own calendars, form-based authentication isn''t going to work, so I''m using the Basic HTTP Authorization from this page - http://blogs.23.nu/c0re/stories/7409/ > > Everything works fine in my dev machine, but on the server (Site5), I get the login prompt ad infinitum. > > Has anyone run into this? Have other suggestions I could try? > > Chasing down another theory, I noticed that "HTTP_AUTHORIZATION" doesn''t appear in request.en -- is it possible/likely that''s the source of my problem? > > > > Thanks!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Josh,> Everything works fine in my dev machine, but on the server (Site5), > I get the login prompt ad infinitum. > > Has anyone run into this? Have other suggestions I could try? > > Chasing down another theory, I noticed that "HTTP_AUTHORIZATION" > doesn''t appear in request.en -- is it possible/likely that''s the > source of my problem?When writing CGI''s I''ve fixed the problem with two approaches. I''m not entirely sure it will work with FastCGI, but its worth a try. The first approach is to recompile Apache and tell it to set the HTTP_AUTHORIZATION environment variable when possible: http://httpd.apache.org/dev/apidoc/ apidoc_SECURITY_HOLE_PASS_AUTHORIZATION.html The second approach is similar to the one you tried. I simply add the following three lines into the .htaccess, or in the httpd.conf inside a <Location> or <Directory> tag: RewriteEngine On RewriteCond %{HTTP:Authorization} (.*) [NC] RewriteRule .* - [E=HTTP_AUTHORIZATION:%1] - -- Thanks, Dan __________________________________________________________________ Dan Kubb Autopilot Marketing Inc. Email: dan.kubb@autopilotmarketing.com Phone: 1 (604) 820-0212 Web: http://autopilotmarketing.com/ vCard: http://autopilotmarketing.com/~dan.kubb/vcard __________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) iD8DBQFEU+ne4DfZD7OEWk0RAp+FAJ4jYejbJDpyFvtfbxOGRZQaJYPQYQCcCNB3 Nlgf6K24Rq8zqZNmoSbEOyY=Kxi1 -----END PGP SIGNATURE-----