Posting to rails app from another process - authenticity problems

phil · January 13, 2009, 10:29am

Hi,
I am trying to post some data to our existing Rails application from a
seperate java application. I am running into the problem of not having
a valid authenticity token. How can I get around this?
The java app is not totally under our control so I don’t think I can
add stuff like session handling to it (and I shouldn’t have to!).

Anyone have experience with this?

Thanks!

phil · January 13, 2009, 11:06am

Hi,

Put protect_from_forgery :except => :index at the top of your
controller,
where :index is your action.

Cheers
Simon

phil · January 13, 2009, 12:09pm

isn’t that a security hole?
Is there a way around this with some sort of authentication on the
method? (http basic for instance)?
Could I do what you suggest but then also code the method to use that?

Sorry - this kind of thing is new to me!

phil · January 13, 2009, 1:18pm

On 13 Jan 2009, at 11:08, phil wrote:

isn’t that a security hole?
Is there a way around this with some sort of authentication on the
method? (http basic for instance)?
Could I do what you suggest but then also code the method to use that?

You’re not going to want to have crsf tokens and what not for an api.
It doesn’t make any sense. Use http basic, restrict it to requests
from the internal network, use api tokens etc… etc…
The world is your oyster.

Fred

phil · January 13, 2009, 2:36pm

to make that clearer:

On 13 Jan., 14:20, phil [email protected] wrote:

Sorry… what? Your answer is somewhat cryptic…

well, you are asking

Is there a way around this with some sort of authentication on the
method?

and fred tells you to go rope-skipping:

You’re not going to want to have crsf tokens and what not for an api.
http://www.crsf.net

if you think about it, he probably meant CSRF:
http://www.cgisecurity.com/csrf-faq.html

and therefor: “no, there is no way around this”, because

It doesn’t make any sense.

so, you have plenty of other possibilities to improve security:

Use http basic, restrict it to requests from the internal network, use api tokens etc… etc…
The world is your oyster.

btw: no offense. i just liked fred’s typo

phil · January 13, 2009, 2:21pm

Sorry… what? Your answer is somewhat cryptic…

Are you recommending http basic?

On Jan 13, 1:16 pm, Frederick C. [email protected]

phil · January 13, 2009, 3:00pm

thanks guys!

I found this interesting post that seems to address exactly what I
need:

http://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_for_a_rails_app/

On Jan 13, 2:38 pm, “Andrew T.” [email protected]

phil · January 13, 2009, 2:39pm

On Tue, Jan 13, 2009 at 3:20 PM, phil [email protected] wrote:

Is there a way around this with some sort of authentication on the

request forgery protection is to protect against things like cross-site
scripting.
For an API, you should probably be protecting requests via an
authentication
method which could include http basic authentication, you could also use
an
API token where a unique (to the user of the API) token is sent with
every
request.

–
Andrew T.
http://ramblingsonrails.com
http://www.linkedin.com/in/andrewtimberlake

“I have never let my schooling interfere with my education” - Mark Twain