Hello,
I used wsdl2rb.rb to create a SOAP client and got it to work with basic
authentication by adding one single line of code to the
defaultDriver.rb file that was built by wsdl2rb.rb. (I also had to
install http-access2 over my Ruby installation to avoid a runtime
error.)
options["protocol.http.basic_auth"]<<
"https://www.example.com/somewhere/, "user", "passwd"]
So far so good.
Now: How do I add support for digest authentication to my client?
I'm using Ruby 1.8.1 for Windows.
I've installed soap4r 1.5.5.
I've installed http-access2 2.0.6.
Thanks,
Yonatan
Security alert: Don't use my code as-is! I checked with a sniffer and
it looks like I'm attempting to send the password in the clear before
sending the digest response.
It looks like the flow is wrong . . . (Sorry for not testing this
earlier!)
I fixed the problem of always sending the password in the clear by
checking the HTTP and making sure that the server is indeed requesting
basic realm. In class BasicAuth I added lines with +:
def set(uri, user_id, passwd)
uri = uri.clone
+ # Make sure that the server is really requesting Basic
Authentication!
+ serverRealm = (@client.head(uri).header['WWW-Authenticate']).join
+ return nil if ("Basic realm".downcase !=
serverRealm[0,11].downcase)
uri.path = uri.path.sub(/\/[^\/]*$/, '/')
@auth[uri] = ["#{user_id}:#{passwd}"].pack('m').strip
@client.reset_all
end
I forgot to mention that the digest authentication in the code I posted
earlier is hardcoded to build the digest response with "POST" which
always works for me, as I'm sending SOAP. I'm not sure how to get the
correct HTTP method. (http-access2 is about 1700 lines of code and I
haven't had a chance to understand the flow . . . )
Hi,
Sorry I couldn't reply sooner.
yonatan_avraham@hotmail.com wrote:
I fixed the problem of always sending the password in the clear by
checking the HTTP and making sure that the server is indeed requesting
basic realm. In class BasicAuth I added lines with +:
def set(uri, user_id, passwd)
uri = uri.clone
+ # Make sure that the server is really requesting Basic
Authentication!
+ serverRealm = (@client.head(uri).header['WWW-Authenticate']).join
+ return nil if ("Basic realm".downcase !=
serverRealm[0,11].downcase)
uri.path = uri.path.sub(/\/[^\/]*$/, '/')
@auth[uri] = ["#{user_id}:#{passwd}"].pack('m').strip
@client.reset_all
end
I think I understood the problem but the problem is in BasicAuth#get,
not in BasicAuth#set, right? http-access2 now sends password to a
defined realm even if WWW-Authenticate is missing.
I'll fix this. Thanks.
Regards,
// NaHi