iCal / Authentication / Site5?


#1

So, I’m working on adding iCal support to my app. Since I want to
restrict
users to their own calendars, form-based authentication isn’t going to
work,
so I’m using the Basic HTTP Authorization from this page -
http://blogs.23.nu/c0re/stories/7409/

Everything works fine in my dev machine, but on the server (Site5), I
get
the login prompt ad infinitum.

Has anyone run into this? Have other suggestions I could try?

Chasing down another theory, I noticed that “HTTP_AUTHORIZATION” doesn’t
appear in request.en – is it possible/likely that’s the source of my
problem?

Thanks!


#2

It looks like this is the issue:

http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticateWithHTTP

If you are using Apache and mod_fastcgi, this method will likely not work
out of the box. Apache does not allow CGI scripts access to HTTP
authorization headers by default. You will need to configure FastCGI to pass
the Authorization header to your scripts http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html#FastCgiServer .
Short version: add |-pass-header Authorization| to the FastCgiServer startup
directive, or |FastCgiConfig -pass-header Authorization|, for Apache 2, or
|-pass-header HTTP_AUTHORIZATION| for Apache 1. For this, you will need
access to apache’s config file.

I’ve tried the suggested modification to htaccess (eg,
E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization}), but I get an odd
request.env:

“REDIRECT_X_HTTP_AUTHORIZATION”=>""


#3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Josh,

Everything works fine in my dev machine, but on the server (Site5),
I get the login prompt ad infinitum.

Has anyone run into this? Have other suggestions I could try?

Chasing down another theory, I noticed that “HTTP_AUTHORIZATION”
doesn’t appear in request.en – is it possible/likely that’s the
source of my problem?

When writing CGI’s I’ve fixed the problem with two approaches. I’m not
entirely sure it will work with FastCGI, but its worth a try.

The first approach is to recompile Apache and tell it to set the
HTTP_AUTHORIZATION environment variable when possible:

http://httpd.apache.org/dev/apidoc/
apidoc_SECURITY_HOLE_PASS_AUTHORIZATION.html

The second approach is similar to the one you tried. I simply add the
following three lines into the .htaccess, or in the httpd.conf inside
a or tag:

RewriteEngine On
RewriteCond %{HTTP:Authorization} (.) [NC]
RewriteRule .
- [E=HTTP_AUTHORIZATION:%1]


Thanks,

Dan


Dan K.
Autopilot Marketing Inc.

Email: removed_email_address@domain.invalid
Phone: 1 (604) 820-0212
Web: http://autopilotmarketing.com/
vCard: http://autopilotmarketing.com/~dan.kubb/vcard


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFEU+ne4DfZD7OEWk0RAp+FAJ4jYejbJDpyFvtfbxOGRZQaJYPQYQCcCNB3
Nlgf6K24Rq8zqZNmoSbEOyY=
=Kxi1
-----END PGP SIGNATURE-----