Hi, I am trying to post some data to our existing Rails application from a seperate java application. I am running into the problem of not having a valid authenticity token. How can I get around this? The java app is not totally under our control so I don't think I can add stuff like session handling to it (and I shouldn't have to!).
Anyone have experience with this?
Thanks!
Hi,
Put protect_from_forgery :except => :index at the top of your controller,
where :index is your action.
Cheers Simon
isn't that a security hole? Is there a way around this with some sort of authentication on the method? (http basic for instance)? Could I do what you suggest but then also code the method to use that?
Sorry - this kind of thing is new to me!
isn't that a security hole? Is there a way around this with some sort of authentication on the method? (http basic for instance)? Could I do what you suggest but then also code the method to use that?
You're not going to want to have crsf tokens and what not for an api.
It doesn't make any sense. Use http basic, restrict it to requests
from the internal network, use api tokens etc... etc...
The world is your oyster.
Fred
Sorry... what? Your answer is somewhat cryptic...
Are you recommending http basic?
to make that clearer:
Sorry... what? Your answer is somewhat cryptic...
well, you are asking
Is there a way around this with some sort of authentication on the method?
and fred tells you to go rope-skipping:
You're not going to want to have crsf tokens and what not for an api.
if you think about it, he probably meant CSRF: http://www.cgisecurity.com/csrf-faq.html
and therefor: "no, there is no way around this", because
It doesn't make any sense.
so, you have plenty of other possibilities to improve security:
Use http basic, restrict it to requests from the internal network, use api tokens etc... etc... The world is your oyster.
btw: no offense. i just liked fred's typo 
request forgery protection is to protect against things like cross-site scripting. For an API, you should probably be protecting requests via an authentication method which could include http basic authentication, you could also use an API token where a unique (to the user of the API) token is sent with every request.
thanks guys!
I found this interesting post that seems to address exactly what I need:
http://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_for_a_rails_app/