3

I'm running devise on a web server and I'm trying to get a Java application to authenticate. After the application is authenticated, devise should authorize the application to create and update records on the web server.

I'm looking at the rails server log, to compare what the web form is posting versus my application. Here are the different outputs:

Web Form (Working)

Parameters: {"utf8"=>"Γ£ô", "authenticity_token"=>"vYC9qd0dVIUH7B/wCHW59JwZquX4yaiogXZ32pbn1So=", "user"=>{"username"=>"user", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Sign in"}

Application (Not Working)

Parameters: {"utf8"=>"?", "username"=>"user", "password"=>"[FILTERED]", "commit"=>"Sign in"}

This is my app's code

    public void webLogin(String methodName, String username, String password) {        
        httpPost = new HttpPost(webServiceUrl+methodName);

        try {
            // Add your data
            List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
            nameValuePairs.add(new BasicNameValuePair("utf8", Character.toString('\u2713')));
            nameValuePairs.add(new BasicNameValuePair("username", username));
            nameValuePairs.add(new BasicNameValuePair("password", password));
            nameValuePairs.add(new BasicNameValuePair("commit", "Sign in"));
            httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairs));

            // Execute HTTP Post Request
            HttpResponse response = httpClient.execute(httpPost);

        } catch (ClientProtocolException e) {
            // TODO Auto-generated catch block
        } catch (IOException e) {
            // TODO Auto-generated catch block
        }
    }

The obvious difference is that the username and password are nested into a user structure. So my question is, how do I create that structure?

EDIT HTTP Header Info

    Request URL:http://localhost:3000/users/sign_in
    Request Method:POST
    Status Code:302 Found
    Request Headersview source
    Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
    Accept-Encoding:gzip,deflate,sdch
    Accept-Language:en-US,en;q=0.8
    Cache-Control:max-age=0
    Connection:keep-alive
    Content-Length:197
    Content-Type:application/x-www-form-urlencoded
    Cookie:_WebApp_session=BAh7CEkiCmZsYXNoBjoGRUZvOiVBY3Rpb25EaXNwYXRjaDo6Rmxhc2g6OkZsYXNoSGFzaAk6CkB1c2VkbzoIU2V0BjoKQGhhc2h7BjoKYWxlcnRUOgxAY2xvc2VkRjoNQGZsYXNoZXN7BjsKSSIfSW52YWxpZCBlbWFpbCBvciBwYXNzd29yZC4GOwBUOglAbm93bzokQWN0aW9uRGlzcGF0Y2g6OkZsYXNoOjpGbGFzaE5vdwY6C0BmbGFzaEAHSSIPc2Vzc2lvbl9pZAY7AEZJIiU4ODVjM2QxNmNkMTI4YWYxN2E5YzEyNmRjYWI1OTI1YgY7AFRJIhBfY3NyZl90b2tlbgY7AEZJIjFNVkV4aFNoSnZsQmhxRUFVdjZtZ0ZBblNVQzJjbU1Kb0l3N1U1OHErNUlVPQY7AEY%3D--8b8a1fcee6c194b938781fa60ddb3a91b1ac8c7c
    Host:localhost:3000
    Origin:http://localhost:3000
    Referer:http://localhost:3000/users/sign_in
    User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
    Form Dataview URL encoded
    utf8:✓
    authenticity_token:MVExhShJvlBhqEAUv6mgFAnSUC2cmMJoIw7U58q 5IU=
    user[username]:user
    user[password]:password
    user[remember_me]:0
    commit:Sign in
    Response Headersview source
    Cache-Control:no-cache
    Connection:Keep-Alive
    Content-Length:88
    Content-Type:text/html; charset=utf-8
    Date:Thu, 26 Jan 2012 03:57:57 GMT
    Location:http://localhost:3000/
    Server:WEBrick/1.3.1 (Ruby/1.9.2/2011-07-09)
    Set-Cookie:_WebApp_session=BAh7CUkiCmZsYXNoBjoGRUZvOiVBY3Rpb25EaXNwYXRjaDo6Rmxhc2g6OkZsYXNoSGFzaAk6CkB1c2VkbzoIU2V0BjoKQGhhc2h7ADoMQGNsb3NlZEY6DUBmbGFzaGVzewY6C25vdGljZUkiHFNpZ25lZCBpbiBzdWNjZXNzZnVsbHkuBjsAVDoJQG5vd286JEFjdGlvbkRpc3BhdGNoOjpGbGFzaDo6Rmxhc2hOb3cGOgtAZmxhc2hAB0kiD3Nlc3Npb25faWQGOwBGSSIlYmZkMDkwNDA1ZGZkN2JmZTA1OWM0MDNmZDIxYzU1ODMGOwBUSSIQX2NzcmZfdG9rZW4GOwBGSSIxTVZFeGhTaEp2bEJocUVBVXY2bWdGQW5TVUMyY21NSm9JdzdVNThxKzVJVT0GOwBGSSIZd2FyZGVuLnVzZXIudXNlci5rZXkGOwBUWwhJIglVc2VyBjsARlsGaQciIiQyYSQxMCR0b0tHc0FJTWpHRXQxSXp1aWVCRlBl--9e1e39fb97a4452e3693c65cc5f1ac4ad9855c37; path=/; HttpOnly
    X-Runtime:0.231013
    X-Ua-Compatible:IE=Edge
david
  • 512
  • 5
  • 12
  • What does the request from the web page look like? I don't think HTTP has a way to send objects like that, I suspect that ror has some way of recognizing certain strings as serialized objects. –  Jan 26 '12 at 03:42
  • Did I post what you were asking for bdares? – david Jan 26 '12 at 04:06

2 Answers2

2

Seeing as to what kind of request is working, I'd try this:

nameValuePairs.add(new BasicNameValuePair("authenticity_token", myToken));
nameValuePairs.add(new BasicNameValuePair("user[username]", username));
nameValuePairs.add(new BasicNameValuePair("user[password]", password));
nameValuePairs.add(new BasicNameValuePair("user[remember_me]", 0));
nameValuePairs.add(new BasicNameValuePair("commit", "Sign in"));
  • Ha, I swear I tried that! It worked, thanks for making me be diligent in what I'm trying. – david Jan 26 '12 at 05:41
0

I think while making post request you also need to send your authenticty_token.

"authenticity_token"=>"vYC9qd0dVIUH7B/wCHW59JwZquX4yaiogXZ32pbn1So="

What authenticity_token does ?

When the user views a form to create, update, or destroy a resource, the rails app would create a random authenticity_token, store this token in the session, and place it in a hidden field in the form. When the user submits the form, rails would look for the authenticity_token, compare it to the one stored in the session, and if they match the request is allowed to continue.

In the last line it says if they match the request is allowed to continue. which is not happening when you are making the post request from your java code.

Community
  • 1
  • 1
RanRag
  • 43,987
  • 34
  • 102
  • 155
  • I know that's an issue, but I currently have CSRF disabled. In application_controller.rb, "protect_from_forgery" is commented out. So, I don't think that's the issue. – david Jan 26 '12 at 03:43
  • If you know how I can get the token and add that in too, that would be great! – david Jan 26 '12 at 03:44
  • For cookie handling you need to either use java's inbuilt `cookie class` or check `http-client` documentation for cookie/session handling and management. – RanRag Jan 26 '12 at 03:50
  • I am no rails expert but in [this post](http://stackoverflow.com/a/6868714/776084). A different way is mentioned to remove auth_token. – RanRag Jan 26 '12 at 03:52
  • I added config.action_controller.allow_forgery_protection = false, like that post suggested. That did remove the authenticity token when I use the web form, but the java application is still not able to authenticate. – david Jan 26 '12 at 04:04
  • ok. you can try two more things 1) there is a `Set-Cookie` in httpheader info try sending this through your java code and also try setting user-agent string. – RanRag Jan 26 '12 at 04:08
  • I can do other types of POSTs, I can do all CRUD things. The only problem I'm having issues with is signing in. – david Jan 26 '12 at 04:35