hoodwink.d enhanced


Using Authentication with Open-uri #

by why in inspect

Obviously big fans of open-uri around here. And development of open-uri has continued with the addition of HTTP Basic authentication, newly implemented in both HEAD and ruby_1_8 branches of CVS.

  open("http://...", :http_basic_authentication=>[user, password])

I should note that this was implemented at the behest of Kent Sibilev. So, hey, does anyone else have open-uri wishes? (And please don’t say HTTPS. Tanaka-san has a preliminary patch here and, believe me, that dog is running.)

Within hours, HTTPS support is checked in. Just like that. Faster than a beaver tale.

said on 12 Feb 2005 at 04:18

I won’t say the h* word. But it is ubercool :)

said on 12 Feb 2005 at 04:38

Hmm, maybe having support for the http://user:pass@domain/ type of urls would be even better.

said on 12 Feb 2005 at 11:44

That what I proposed in the first place, but this approach has some security problems.

said on 12 Feb 2005 at 11:45

Wejn: well, calling a URL with userinfo filled like the above will continue to work in the 1.8 series actually.

Running under 1.9 will toss an exception, though, since it’s deprecated in RFC 3986 :

Use of the format user:password in the userinfo field is deprecated. Applications should not render as clear text any data after the first colon (”:”) character found within a userinfo subcomponent unless the data after the colon is the empty string (indicating no password). Applications may choose to ignore or reject such data when it is received as part of a reference and should reject the storage of such data in unencrypted form. The passing of authentication information in clear text has proven to be a security risk in almost every case where it has been used.

said on 14 Feb 2005 at 00:39

Huzzah! Huzzah! Down with cleartext! Away with passwords! I think we need a one-time-password library in Ruby like S/Key or something. Huzzah!

Comments are closed for this entry.