I believe that we can allow Firefox to sent NTLM data to SharePoint sites to do automatic authentication, and I think that this is doable with IIS.
I'd like to do the same thing with an internal Rails site.
Does anyone know of way that I could authenticate NTLM type user information through a Apache/mongrel setup (provided of course that it's already running on a Windows box inside of an Active Directory domain)?
I created tutorial on how to install patched mod_ntlm module for Apache on Linux and how to pass NTLM authenticated username to Rails and how create Rails session from that. So as a result you do not need Windows server for running Rails application.
There you can find also how to enable automatic NTLM authentication in Firefox — enter "about:config" in location field and then search for "network.automatic-ntlm-auth.trusted-uris". There you can enter servers for which you would like to use automatic NTLM authentication.
Bit of extra info in case anyone stumbles across this.
I wanted to do something which I thought should be pretty simple - extract the users windows username using NTLM from a Rails app running on Mongrel/Windows (InstantRails actually). Having written the basic code manage the various handshaking operations (using the great NTLMRuby library at http://rubyforge.org/projects/rubyntlm/) and having got it to work wonderfully in Firefox I was somewhat frustrated to find IE not working.
Mongrel doesn't support keep-alives during the type1/2/3 message exchange (at least natively, I believe there's a hack/fix for it), which IE demands and Firefox gets by without.
So authenticating a Rails server running on Windows against a remote NTLM service (e.g. Sharepoint or another web site) is reasonably straight forward, but authenticating an IE browser against a Rails server running on Windows not so much with Mongrel. IIS would be an option, as might be basic Apache with FastCGI. The former feels a bit clunky and the latter won't be as fast as Mongrel.
I'm assuming you've already worked out which HTTP headers you need to send in order to get firefox and IE to send back the NTLM authentication stuff, and are just needing to handle that on the server side?
You could use some of ruby's win32 libraries to access the underlying windows authentication functions which handle the NTLM.
I'd suggest the path of least resistance might be to see if there is a COM component which can do the authentication for you, and if so, to use it using the Win32OLE ruby library.
If there's no COM component, you might be able to find something in one of those other libraries which can invoke the native win32 methods for you.
If you can't find that, you'd have to write a ruby C extension. I've done this on linux, and extending ruby is pretty easy, but you may find the microsoft authentication API's a bit painful.
Hope that gets you started on the right track :-)
You could also use the Apache ntlm module, which should pass a header onwards to your application with the username of the authenticated user. That module looks a bit old, but suggests some other modules that may suit your needs.
Old question I know but I came across this looking for a similar answer.
you could use the methods described here (http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/). However mod_ntlm is for windows authentication on a UNIX/linux machine. mod_auth_sspi is what you'll need for winNT authentication from apache under windows.
This particular project looks promising and is looking for contributors:
Rack middleware for transparent authentication with NTLM.
I haven't yet tried this out. For the moment I plan on implementing Raimonds' solution as it appears to have a lot of success.
Check out Waffle. It provides SSO on Windows to Java servers using Win32 API. There're a number of implemented filters (servlet, tomcat valve, spring-security).
Related
I'm developing a new website which is going to include web API. What I want to know is how easy (or hard) is it to develop the server side oAUTH service into my new website?
I'm using OE11.0 WebSpeed in combination with Apache. Because I'be been doing Progress/OpenEdge 4GL/ABL development for over 10 years and nothing else I find very hard to translate existing code like, PHP, Python, Java etc.
I've read the RFC related to oAUTH and I find my self get lost in "key-varner".
Has anybody develop a oAUTH server side code in OpenEdge WebSpeed? If so, are you willing to share?
The CLR bridge works in OE 11 onwards now and we use .NET dll's in webspeed sucessfully.
I think your best bet is to do this outside of Webspeed / ABL, otherwise you are stuck re-inventing the wheel. The easiest solution would be to call a .NET library directly from your ABL code but I think that the CLR bridge doesn't work for Webspeed / Appserver apps.
One solution is to have a separate, non-Webspeed app just to handle these oAUTH requests, using a ProxyPass directive on your Apache server to pattern match the URIs and route the requests to the appropriate app.
You could use any non-Webspeed tech. you want, but since I know Ruby best, I will point out the excellent omniauth gem, which supports arbitrary authentication strategies, including oAUTH. You can create a custom gem for your specific provider by working off of any of these strategies (see the "Notes" section and look at any of them that cite "OAuth API" or "OAuth 2 API").
If you want to go whole hog and write the entire app in a different language (yet still using an OpenEdge database), I will toot my own horn and point out the Ruby adapter for OpenEdge databases. This would allow you to use the Ruby on Rails framework for your Web app.
I have a Rails website that allows an authenticated client to post XML to a specific URL. In this particular instance, the post request is coming from a BizTalk 2009 server. Rails keeps responding with 401 Unauthorized and I'm not sure why.
The authentication on the Rails side is handled by Restful Authentication via HTTP basic auth. I have tested posting XML to the production site using curl and the credentials of the client in question and it appears to work fine. The owner of the BizTalk server and I have verified the credentials and the URL.
Is there something particular about the way BizTalk handles its basic authentication? Or is there something weird with Rails or Restful Auth? Any ideas? The web server on the Rails side is Nginx with Passenger 3.
What credentials are you using to authenticate? It would need to be that of the BizTalk service account that is sending the request. What adapter are you using?
Unfortunately, the problem went away undetected. I had to modify the auth code to deal with authentication problems in Internet Explorer (see http://rails_security.lighthouseapp.com/projects/15332/tickets/5-using-http-basic-authentication-with-ie-not-working). It's possible that BizTalk would have the same problem, but I can't verify.
It's also possible that the owner of the BizTalk server updated the credentials used to contact our service, but again I can't verify.
As we have bigger fish to fry, it's not worth it to us to track down the exact issue since all is working fine now. Of course that could change and I'll dig deeper and perhaps update this thread.
I have been coding against a Delphi EXE (win32 desktop app) to access twitter and do certain functions. It used to use Basic authentication with the api limitation. I know I have to convert this to OAuth. I have been reading over the documentation trying to determine the best approach. I understand the best method is the Web browser with a call back url. I also know that Twitter includes a Pin Based (oob) authentication method. I figured this was the route to go with this application, but I want to make sure since that is not seamless. It requires the user to go external to the application and get a pin number. It also is not as secure since the access token returned never expires.
I am using Indy v10 components to do the GET/POST operations, so I am wondering if there is a way to do this using them and being able to do a callback and not use the Pin authentication method.
Can anyone help me?
Also I've been trying to get Chuck Beasley's Twitter Class working in Delphi 7 with Indy v10 and I've been having trouble. IdObjs and Idsys don't exist anymore. Has anyone got this class to work with my scenario?
Thanks,
David
OAuth is a standard used for Web applications, its text is liberally littered with the word 'agent', meaning a browser. The best solution IMHO is, if possible, to actually have a callback URL, meaning you have your own site which provides the service to back your application functionality. There are services that make this possible for third parties already, like JanRain. If these options are not feasible (meaning you cannot provide a true WWW site for the callback URL) not feasible, then your only option is indeed the out-of-band authentication, oob. Don't even think about having the OAuth authentication call back the app listening on some port, that is completely unreliable for 1) the vast majority of apps will sit behind some sort of NAT device (router, outbound proxy) which makes them unreachable from the OAuth prvider and 2) the OS firewall will block your incoming calls.
In the mean time, Beasly's Twitter class has been expanded/updated; see the latest incarnation
I've started a library that uses Synapse to access twitter. It can use OOB/PIN authentication and predefined oauth token/secret. It can be extended to use browser based auth. Currently written using FPC but should be adaptable to Delphi quite easily. FPCTwit code
You may wanna try my take on twitter, supports unicode as well unlike the other delphi implementations:
http://eden.fm/2011/02/27/twitter-library-for-delphi/
I don't use Indy though, but ICS
I'm a bit confused about all this OAuth bruhaha in the sense that all the examples I can find are for web applications and none of them for desktop applications.
I understand the Web application work flow, but that includes some redirections between the web app and twitter.
How does one do this in an desktop application?
How does the redirects work?
Should I have to include a Web Browser object?
Is there a way to go around this?
Could anyone point me to resources instead of a full blown solution please?
Thanks
Not sure which language you're using, but the .NET library for Twitter called Tweetsharp has a post on using Tweetsharp from a desktop app and authenticating via OAuth. See http://tweetsharp.com/?p=68. If you're not using .NET then perhaps it will inspire something you can do?
Basically, what tweetsharp does is launch the browser to the authentication URL and then waits for the user to return. I don't know of any way to do this other than something like that (Or include a WebBrowser control of some kind to launch the authentication URL in your own window).
Here's a straightforward solution, implemented as a set of PHP scripts for running from the command line. Well documented and explained, with a helpful 'verbose' option for debugging.
http://nullinfo.wordpress.com/oauth-twitter/
After some poking around and asking some questions about this subject to some other programmers, it looks like it's still an ongoing discussion, with no visible light at the end of the tunnel.
But for people interested on the ongoing discussion, here's the best link to have:
OAuth Desktop Discussion
I've seen a few desktop apps get around this by effectively embedding a browser into their program, so they can just open the in-app browser window to let you do the login and authorisation. This strikes me as a bit of a cheat or defeat of purpose because you still end up typing your ID and password inside the application anyway.
One possibility I was thinking of was, your desktop application could embed a mini HTTP server inside it. So then it launches the default browser to perform the authorisation, with a callback URL something like http://127.0.0.1:8765/oauthorized and then just listen for it.
Would that work?
Not sure what you would do for console applications... spawn a copy of lynx?
Include a WebBrowser control in your app. Put it in a panel or a separate form that you'll Form.ShowDialog().
Create a callback for the browser's successful posting of OAuth and one for a rejection. Don't forget to check for a FailWhale.
In the callback, you close the panel or form and store the token.
Here's a nice overview with sample code and everything: http://tweetsharp.com/2009/04/how-to-authenticate-a-desktop-application-with-oauth/
Is it possible to integrate MS Outlook/Exchange tasks with Rails? I know how to send emails with Rails, but that isn't using anything "special" about exchange, just pointing it at the server.
What is "special" about an Outlook Task and how I can I create/read/update/delete them from Rails. (Even a subset of CRUD would be great.)
PS. I am on a linux based rails system, so solutions that rely on a windows-only function won't work for me.
If you are running Exchange 2007 you should also look at Exchange web services to manipulate things.
I am in the process of building a MS Exchange client access library in Ruby that uses MS Exchange Web services. The code is GPL'd so have at it. Please let me know what kind of issues you have and what other features you'd like to see. It's pretty heavy in development at this point.
http://github.com/zenchild/Viewpoint
Cheers,
Dan Wanek
WebDAV might be the way to go, if you'd like to do it in Ruby. There is a ruby gem call rexchange that can do the trick. However, MSFT is phasing out WebDAV and replacing it with the Exchange Web Services, which is Zoredache suggested. Unfortunately, MSFT only provides API in C# (technically, it's SOAP stuff that is language-agnostic, some Java developers seem to sucessfully build some stuff using EWS, but I have yet known anyone has done this in Ruby.)
Assuming that the tasks are stored in Exchange, you should be able to access the tasks through WebDAV.