Posting to rails app from another process - authenticity problems


#1

Hi,
I am trying to post some data to our existing Rails application from a
seperate java application. I am running into the problem of not having
a valid authenticity token. How can I get around this?
The java app is not totally under our control so I don’t think I can
add stuff like session handling to it (and I shouldn’t have to!).

Anyone have experience with this?

Thanks!


#2

Hi,

Put protect_from_forgery :except => :index at the top of your
controller,
where :index is your action.

Cheers
Simon


#3

isn’t that a security hole?
Is there a way around this with some sort of authentication on the
method? (http basic for instance)?
Could I do what you suggest but then also code the method to use that?

Sorry - this kind of thing is new to me!


#4

On 13 Jan 2009, at 11:08, phil wrote:

isn’t that a security hole?
Is there a way around this with some sort of authentication on the
method? (http basic for instance)?
Could I do what you suggest but then also code the method to use that?

You’re not going to want to have crsf tokens and what not for an api.
It doesn’t make any sense. Use http basic, restrict it to requests
from the internal network, use api tokens etc… etc…
The world is your oyster.

Fred


#5

to make that clearer:

On 13 Jan., 14:20, phil removed_email_address@domain.invalid wrote:

Sorry… what? Your answer is somewhat cryptic…

well, you are asking

Is there a way around this with some sort of authentication on the
method?

and fred tells you to go rope-skipping:

You’re not going to want to have crsf tokens and what not for an api.
http://www.crsf.net

if you think about it, he probably meant CSRF:
http://www.cgisecurity.com/csrf-faq.html

and therefor: “no, there is no way around this”, because

It doesn’t make any sense.

so, you have plenty of other possibilities to improve security:

Use http basic, restrict it to requests from the internal network, use api tokens etc… etc…
The world is your oyster.

btw: no offense. i just liked fred’s typo :wink:


#6

Sorry… what? Your answer is somewhat cryptic…

Are you recommending http basic?

On Jan 13, 1:16 pm, Frederick C. removed_email_address@domain.invalid


#7

thanks guys!

I found this interesting post that seems to address exactly what I
need:

http://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_for_a_rails_app/

On Jan 13, 2:38 pm, “Andrew T.” removed_email_address@domain.invalid


#8

On Tue, Jan 13, 2009 at 3:20 PM, phil removed_email_address@domain.invalid wrote:

Is there a way around this with some sort of authentication on the

request forgery protection is to protect against things like cross-site
scripting.
For an API, you should probably be protecting requests via an
authentication
method which could include http basic authentication, you could also use
an
API token where a unique (to the user of the API) token is sent with
every
request.


Andrew T.
http://ramblingsonrails.com
http://www.linkedin.com/in/andrewtimberlake

“I have never let my schooling interfere with my education” - Mark Twain