HTTP Digest Authentication in Rails 2.3 2

Posted by Gregg Kellogg Sun, 08 Mar 2009 21:30:00 GMT

After a fair amount of work, I'm happy to report that HTTP Digest Authentication is now a part of Rails 2.3. Although I put the finishing touches to get this into the release, it is based on work done by Dan Manges and Xavier Shay . Also, thanks to Don Parish for bug fixes and improvements after original acceptance.

Read more about HTTP Digest Authentication in Rails 2.3 Ryan's Scraps. Relevant Lighthouse entries: 1230, 1848, and 2000. The last one includes a change, not yet approved for 2.3, which allows for using the HA1 part of the digest to store a hash of the password, rather than the cleartext of the original version. Hopefully, we'll get a version of that in soon. Also, the current implementation depends on using a session secret when computing the nonce. 2000 proposes a way to avoid this so no session is required.

Hopefully. we'll see the open issues resolved and get this into a 2.3.1 update.

Gregg

Trackbacks

Use the following link to trackback from your own site:
http://www.kellogg-assoc.com/trackbacks?article_id=58

Comments

Leave a comment

  1. Avatar
    GrzesF 17 days later:

    Hi,

    I’ve noticed an issue for PUT and DELETE requests in my app after adding HTTP Digest Authentication.

    http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/f23c66297a72f290

    Is it a normal behavior or I’m doing smth wrong ?

    -Grzesiek

  2. Avatar
    Gregg Kellogg about 1 month later:

    Note patch entered into Lighthouse issue #2490.

Comments