Hi!

Thanks for the comment. The http_auth extension moved from the main distribution to the extensions & will not be shipped with Retrospectiva 1.0. It was also a little bit outdated.

A few things have changed, so if you’d like to use it please switch to the current stable branch

svn sw svn://dvisionfactory.com/retrospectiva/branches/1-0

and then get the latest http_auth code from

svn co svn://dvisionfactory.com/retrospectiva/extensions/1-0/http_auth

I am not sure but maybe using HttpDigest is causing your problem, but let’s see. Drop me a short note the let me know if the the new version has worked for you or not.

I was already using the 1-0 stable branch, but I updated to the latest, and then grabbed the http_auth code as indicated.

Now authentication fails altogether and I get an “application error” when accessing my site. Log shows the following error:

A NameError occurred in projects#index:

undefined local variable or method `authenticate_without_http_authentication' for #
`before_authenticate'

Which leads to:

A Errno::ECONNREFUSED occurred in projects#index:

Connection refused - connect(2)
/usr/local/lib/ruby/1.8/net/protocol.rb:206:in `initialize'

PS. The line throwing the error is:

extensions/http_auth/http_auth.rb:33

I’ve updated the extension (again) in [r141], please check if it works. I currently have not much time so you I need you to do some debugging for me ;-). I will have a detailed review on this problem within the next few day, I promise.

Cheers
Dimitrij

Thanks, Dimitrij, for your time. r141 fixes the error, but it still doesn’t log me in successfully.

Here’s an idea of how I implemented automatic http_auth login with another app that I installed (Beast). I’m really just a novice in these matters, so your solution is probably better, but anyway, here it is for what it’s worth. It works for me.

The idea behind this is that the application login doesn’t need to provide security, since the security is provided by the HttpDigest. So once the user clears the http authorization, all we have to do is identify them.

So all I do is grab the REMOTE_USER environment variable and check it against the application user database. If it exists, the user is logged in as that user. I don’t bother with the password since they’ve already cleared security, so to speak.

The potential weakness I can see is that perhaps one user, having cleared http authentication, could somehow spoof their REMOTE_USER variable in order to log in as another user. I’m not sure if that’s possible or not.

I’m not sure if that’s possible or not.

I’m pretty sure it is, therefore I won’t implement your solution into http_auth. http_auth is meant to work with Basic HttpAuth. If you find any secure solution to authenticate the user using the Digest method, please let me know. Many thanks.

Hi Dimitri,

I’m using AuthType Basic but have not been able to get it working.

Am using the latest versions of both retro and http_auth, as listed above.

http_auth appears to be installed and enabled successfully, and I restarted mongrel afterwards.

When I authenticate via Basic auth, it does not log me in to retro, as expected.

Any suggestions?

Thanks, Zubin

Does it possible to run this extenstion within the trunk?

Hi!

Sorry for the late response. The http_auth extension will only work if you disable the Secure authentication in Admin/Setup.

HTTP-Auth-Basic stores the credentials more-or-less as plain text in the request header (only encrypted by Base64) while Secure authentication requires the use of hashed passwords.

Dimitrij

[r456] – Updated http_auth extension for Retrospectiva 1.1

I am not familiar with ruby, but have some experience in perl/mod_perl so someone may found usefull my Auth.pm module helping authenticate users in Apache against retrospectiva accounts (in postgres only for now).

I am running with following config lines

SetEnv RAILS_ENV production
<Perl>
push @INC,"/usr/local/etc/apache22/Includes";
</Perl>

<Directory "/usr/local/www/retrospectiva/public">
AllowOverride All
Order Deny,Allow
Allow from all
ErrorDocument 401 "<body onload=\"window.location.href = 'register';\"> </body>" 
PerlAuthenHandler Retrospectiva::Auth
AuthName "restricted area" 
AuthType Basic
Require valid-user
</Directory>

• Apache/2.2.8 (FreeBSD)
• mod_ssl/2.2.8 OpenSSL/0.9.7e-p1
• DAV/2
• mod_fastcgi/2.4.2
• PHP/5.2.4 with Suhosin-Patch
• SVN/1.4.4
• mod_perl/2.0.3
• Perl/v5.8.8

As far as restrospectiva-1.1 was incompatible with http_auth prior to [r456] i have written a simple handler to make possible authenticate in HTTP for restrospectiva-1.1 branch

http://www.salewroughtiron.cn installing metal stair rails Interior stair handrail installing metal stair rails Interior stair handrail exterior baluster Glass wood stainless wrought CONTEMPORARY designs stairways aluminum modern log banister DECK outdoor price posts vinyl curved rails http://www.china-made-door.com.cn door gate http://www.beijing-door.cn wrought CONTEMPORARY designs stairways installing metal stair rails Interior stair handrail exterior baluster Glass wood stainless wrought CONTEMPORARY designs stairways aluminum modern log banister DECK outdoor price posts vinyl curved rails http://www.hebei-railings.cn aluminum modern log banister DECK outdoor price installing metal stair rails Interior stair handrail exterior baluster Glass wood stainless wrought CONTEMPORARY designs stairways aluminum modern log banister DECK outdoor price posts vinyl curved rails posts vinyl curved rails