XMLHTTPRequest + Authentication = Frustration

May 6, 2007

So I just spent the last 2 hours or so of my life buggering around with Ruby on Rails and trying to get it to do a RESTful login (i.e. one using HTTP Authorization headers, as opposed to the normal cookie stuff). There are some nice articles about pulling this feat off, such as here and here: the basic trick is to use XMLHTTPRequest to force the username/password from form fields into the browers authentication cache. However, it seems that if the resource your XMLHTTPRequest is trying to talk to never returns a 401 (Access Denied) then XMLHTTPRequest never feels the need to send the Authorization header at all, even if you specify a username and password for it. I’m really at a loss as to why it has this bizarre behaviour, so I’m really hoping I’ve misdiagnosed it, but it’s looking unlikely.

This afternoon has been my first serious attempt to play with Rails, and the whole thing has been nothing but frustration! As well as the usual the-web-is-crap issues like the above, I’ve had to contend with documentation that is scattered over the Ruby and Rails websites, when it exists at all! Some of the stuff I’ve had to use (like the base.send :helper_method call to expose some things neatly to my views) seem vital but don’t appear anywhere but as cursory mentions in changelogs. Furthermore, their habit of introducing breaking changes means some code examples I find don’t work without some obscure patching, and when things go wrong there is so much framework magic going on I have a hard time debugging it! Hopefully this feeling will fade with time, as lots of other people seem to praise Rails to the heavens, but I can’t remember even being this frustrated with a new technology :-).


5 Responses to “XMLHTTPRequest + Authentication = Frustration”

  1. Fuzzyman Says:

    Doesn’t the trick with authentication rely on having one URL that *does* raise a 401, so that the headers will be sent?

    After that, most browsers then send the headers with every request.

  2. Um, yeah. It seems that wordpress doesn’t escape angle brackets… thats almost unbelievably bad :).

    Anyway, I wrote something like this:
    Ah, is -that- the trick? Thanks for the tip: I’ll try it out ASAP, but if only there were a place where this stuff was specified..

    I still think the default behaviour shoud be to send an authorization header if username/password are specified in the AJAX call (and indeed all the HTTP clients I’ve written do this), since it doesn’t do any harm and can avoid one round trip to the server if the URL requires authentication, which should be the usual case..

  3. […] 7th, 2007 OK, to follow up on my last post about the quirks of XMLHTTPRequest, fuzzyman very kindly provided most of the solution I […]

  4. Fuzzyman Says:

    It seemed to do fine escaping the angle brackets in your actual post… 😉

Comments are closed.

%d bloggers like this: