Digest authentication fails with proxy #2301

Closed
arthurpsmith opened this Issue Jul 27, 2011 · 5 comments

4 participants

@arthurpsmith

This is a copy of a note I sent a month back to the rails-core mailing list; no response there, but perhaps this is the best place for it anyway. I'll take a look at patching this myself and try sending that in too...

From RFC 2617 - http://tools.ietf.org/html/rfc2617 - which specifies Digest Authentication, the section discussing the "digest-uri' element states:

"digest-uri
The URI from Request-URI of the Request-Line; duplicated here because proxies are allowed to change the Request-Line in
transit."

and the detailed discussion on calculation of the digest value specifically says:

"where "digest-uri-value" is the value of the "uri" directive on the Authorization header in the request."

That is, the "digest-uri" provided in the Authorization header is what should be used in calculating the digest for authentication purposes, not the request URI - because that string may change between the client and the ultimate server responding to the request.

However, it looks like this has been implemented incorrectly in Rails ActionController::HttpAuthentication for some time - for example from actionpack-3.0.7/lib/action_controller/metal/http_authentication.rb line 188:

uri = credentials[:uri][0,1] == '/' ? request.fullpath : request.url

This should be simply:

uri = credentials[:uri]

We ran into this bug when switching from a java-Spring-Acegi authentication handler to Rails HttpAuthentication. It had always
worked perfectly with Acegi. Rails digest authentication worked fine when connecting directly to the server it was installed on, but when connecting to a front-end server that rewrites the URL's, Rails digest authentication always failed. With the above patch, digest authentication works correctly again.

If there's a need to verify that the digest-uri matches in some way the request uri the server should do that separately from the actual digest authentication piece, which should just match the specifications of RFC 2617. Agreed?

@isaacsanders

@arthurpsmith Is this still an issue?

@arthurpsmith

As far as I am aware, yes it is still an issue. For the service where we need Digest authentication we're running rails 3.0.9 with my patch so as far as that goes it's working for us. However, it would probably break and need to be re-patched if we update to a newer rails version. I've had no indication this has been fixed in rails releases since then.

I just compared actionpack-3.2.3 and it looks like there are some changes in the digest authentication section - in particular the uri now uses request.original_fullpath etc. instead of request.fullpath. This seems to depend on an environment variable ORIGINAL_FULLPATH which seems to be set by rails/application.rb - but I see no sign this addresses at all the issue of a proxy that may rewrite the URL. The RFC is very specific - the URL provided in the credentials is to be used for Digest authentication, and it is clear this has still not been fixed in 3.2.3.

@steveklabnik steveklabnik added a commit to steveklabnik/rails that referenced this issue Aug 2, 2012
@steveklabnik steveklabnik Changelog entry for Digest Auth fix (#2301) 6beaafd
@rafaelfranca
Ruby on Rails member

Fixed @ 6e52376

@arthurpsmith

Yup, it's done, thanks all.

@pacoguzman

Trying to upgrade an application to Rails 4 I've reach a problem with our digest authentication that maybe is related with which requests we're authenticating, Does anyone know if credentials[:uri] should respect the parameters that came for the request?

With this change credentials[:uri] only preserve the path so the authentication doesn't work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment