Forum: Ruby on Rails posting to rails app from another process - authenticity problems

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
A07f0662e96a632d9447a710adadbe05?d=identicon&s=25 phil (Guest)
on 2009-01-13 10:29
(Received via mailing list)
Hi,
I am trying to post some data to our existing Rails application from a
seperate java application. I am running into the problem of not having
a valid authenticity token. How can I get around this?
The java app is not totally under our control so I don't think I can
add stuff like session handling to it (and I shouldn't have to!).

Anyone have experience with this?

Thanks!
41cc2c53544016a86472343ab3fdc0ff?d=identicon&s=25 Simon Macneall (Guest)
on 2009-01-13 11:06
(Received via mailing list)
Hi,

Put protect_from_forgery :except => :index at the top of your
controller,
where :index is your action.

Cheers
Simon
A07f0662e96a632d9447a710adadbe05?d=identicon&s=25 phil (Guest)
on 2009-01-13 12:09
(Received via mailing list)
isn't that a security hole?
Is there a way around this with some sort of authentication on the
method? (http basic for instance)?
Could I do what you suggest but then also code the method to use that?

Sorry - this kind of thing is new to me!
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-01-13 13:18
(Received via mailing list)
On 13 Jan 2009, at 11:08, phil wrote:

>
> isn't that a security hole?
> Is there a way around this with some sort of authentication on the
> method? (http basic for instance)?
> Could I do what you suggest but then also code the method to use that?
>
You're not going to want to have crsf tokens and what not for an api.
It doesn't make any sense. Use http basic, restrict it to requests
from the internal network, use api tokens etc... etc...
The world is your oyster.

Fred
A07f0662e96a632d9447a710adadbe05?d=identicon&s=25 phil (Guest)
on 2009-01-13 14:21
(Received via mailing list)
Sorry... what? Your answer is somewhat cryptic...

Are you recommending http basic?

On Jan 13, 1:16 pm, Frederick Cheung <frederick.che...@gmail.com>
80e4cb97cae5c8d745f72337d93fd8f2?d=identicon&s=25 MaD (Guest)
on 2009-01-13 14:36
(Received via mailing list)
to make that clearer:

On 13 Jan., 14:20, phil <p...@philsmy.com> wrote:
> Sorry... what? Your answer is somewhat cryptic...

well, you are asking
> Is there a way around this with some sort of authentication on the
> method?

and fred tells you to go rope-skipping:
> You're not going to want to have crsf tokens and what not for an api.
http://www.crsf.net

if you think about it, he probably meant CSRF:
http://www.cgisecurity.com/csrf-faq.html

and therefor: "no, there is no way around this", because
> It doesn't make any sense.

so, you have plenty of other possibilities to improve security:
> Use http basic, restrict it to requests from the internal network, use api tokens etc... 
etc...
> The world is your oyster.

btw: no offense. i just liked fred's typo ;-)
5772c599ccab3081e0fffb1d54f3b6de?d=identicon&s=25 Andrew Timberlake (andrewtimberlake)
on 2009-01-13 14:39
(Received via mailing list)
On Tue, Jan 13, 2009 at 3:20 PM, phil <phil@philsmy.com> wrote:

> > > Is there a way around this with some sort of authentication on the
>
>
request forgery protection is to protect against things like cross-site
scripting.
For an API, you should probably be protecting requests via an
authentication
method which could include http basic authentication, you could also use
an
API token where a unique (to the user of the API) token is sent with
every
request.

--
Andrew Timberlake
http://ramblingsonrails.com
http://www.linkedin.com/in/andrewtimberlake

"I have never let my schooling interfere with my education" - Mark Twain
A07f0662e96a632d9447a710adadbe05?d=identicon&s=25 phil (Guest)
on 2009-01-13 15:00
(Received via mailing list)
thanks guys!

I found this interesting post that seems to address exactly what I
need:

http://www.whatcodecraves.com/articles/2008/11/25/...

On Jan 13, 2:38 pm, "Andrew Timberlake" <and...@andrewtimberlake.com>
This topic is locked and can not be replied to.