InfoQ

News

RubySSPI is Big News for Ruby Developers on Windows

Posted by Obie Fernandez on Nov 14, 2006 01:37 PM

Community
Ruby
Topics
Programming,
Security
Tags
NTLM,
Firewall,
Windows,
Proxy,
RubySSPI

Rubyist Justin Bailey has just released RubySSPI, which enables NTLM proxy authentication for Ruby on Windows platforms. RubySSPI interacts with Microsoft's Security Support Provider Interface (SSPI) API to enable Ruby programs using Net::HTTP or open-uri to authenticate as the current Windows user with proxy servers requiring NTLM authentication (e.g. Microsoft's ISA). The library provides bindings to the Win32 SSPI libraries, which implement various security protocols for Windows. It was primarily developed to give Negotiate/NTLM proxy authentication abilities to Net::HTTP (and thus, open-uri), similar to support found in Internet Explorer or Firefox.

The library is not an implementation of the NTLM protocol and does not give the ability to authenticate as any given user. It does authenticate with a proxy server as the current user logged into the given Windows workstation where the code is executing. It also does not provide full bindings to the SSPI library, but the author is accepting patches that extend the library in that direction, if anyone is so inclined. An already suggested future enhancement is to leverage RubySSPI to use NTLM authentication with SQL server, removing the need for usernames or passwords in configuration files.

Godsend for some Windows users

If you are behind a proxy that authenticates all traffic, then this library enables your ruby scripts to authenticate with the proxy as the current user seamlessly. This solves the shortcomings of other solutions which require you to enter your username and password in clear text at least once. After a few simple steps, you should be able to successfully install things like Ruby on Rails by simply typying gem install rails, exactly how non-Windows users get to do.

The inability to do gem install was a big mental barrier to adoption in some Microsoft-heavy shops where I've tried to introduce Ruby and Rails. It was also a huge (and constantly recurring) pain for gem commands to fail when I was stuck at a large client with an ISA proxy/firewall. The biggest problem is that a lot of times, nobody at the client site will know anything about the ISA proxy and attempts to figure out why "my Ruby just doesn't work" will meet with confusion, if not outright hostility.

To make RubyGems (gem) commands work seamlessly behind an ISA firewall just download and install the RubySSPI gem manually, and follow the instructions provided in the Readme.txt file inside the distribution.

Related projects

The extraordinarily comprehensive README provided with the RubySSPI gem even includes a useful list of related resources and open-source projects that were used in decoding both NTLM messages and integrating with the SSPI library:

  • Managed SSPI Sample - A .NET implementation of a simple client/server using SSPI. A complex undertaking but provides a great resource for playing with the API.
  • John Lam's RubyCLR - Originally, I used RubyCLR to call into the Managed SSPI sample which really helped me decode what the SSPI interface did and how it worked. I did not end up using that implementation but it was great for research.
  • The NTLM Authentication Protocol - The definitive explanation for the NTLM protocol (outside MS internal documents, I presume)
  • Ruby/NTLM - A pure Ruby implementation of the NTLM protocol. Again, not used in this project but invaluable for decoding NTLM messages and figuring out what SSPI was returning.
  • Seamonkey/Mozilla NTLM implementation - The only source for an implementation in an actual browser. How they figured out how to use SSPI themselves is beyond me.

 

3 comments

Reply

Thanks by Justin Bailey Posted Nov 14, 2006 5:30 PM
How to authenticate within a Rails app? by Michel Löhr Posted Nov 17, 2006 4:13 AM
Re: Thanks by anjan bacchu Posted May 1, 2007 7:56 PM
  1. Back to top

    Thanks

    Nov 14, 2006 5:30 PM by Justin Bailey

    Obie, Thanks for the write up. This library was pretty painful to create but once it was working, it really made my ruby-life a lot easier. Personally, I'd like to see the functionality get pushed into the ruby distribution, but when I posted a patch to the core mailing list the silence was deafening. Hopefully the need will be perceived eventually and it will make it in.

  2. Back to top

    How to authenticate within a Rails app?

    Nov 17, 2006 4:13 AM by Michel Löhr

    I am wondering if I could use this (and how), to authenticate the Windows user within a Rails app. I am missing the link how "NTML sets" the (remote) user in the HTTP request, or otherwise. Any hints appreciated!

  3. Back to top

    Re: Thanks

    May 1, 2007 7:56 PM by anjan bacchu

    Obie, .......... but when I posted a patch to the core mailing list the silence was deafening.
    So, why not try atleast the windows installer group who should be more inclined to listen to you. When I installed ruby on my box, I saw that it contained 6-7 win32 related gems. So, Curt Hibbs or others on the win32 setup team might want to install your stuff by default ? Tbank you, BR, ~A http://anjanb.wordpress.com

Exclusive Content

Rob Windsor on WCF with REST, JSON and RSS

WCF is not just for SOAP based services and can be used with popular protocols like RSS, REST and JSON. Join Rob Windsor as he introduces WCF 3.5 and its new native support for non-SOAP services.

Christophe Coenraets Discusses Flex 3, AIR, and BlazeDS

Christophe Coenraets discusses Flex 3, Flex Builder, AIR, BlazeDS, Adobe and open source, integrating Flex with existing applications, and integrating RIAs with search engines and browsers.

Debunking Common Refactoring Misconceptions

Danijel Arsenovski attempts to dispel some of the myths around refactoring and how it applies to .NET developers.

REST Eye for the SOA Guy

In this presentation, recorded at QCon San Francisco, CORBA guru Steve Vinoski explains REST from the view of someone who comes to SOA from a traditional, RPC-oriented background.

Choose Feature Teams over Component Teams for Agility

Feature teams are key to scaling agility for large teams. In an excerpt from "Scaling Lean and Agile Development," Larman & Vodde show how feature teams resolve traditional problems & raise new issues

Billy Newport explains Virtualization

Billy Newport talks about virtualization, eXtreme Transaction Processing (XTP) and WebSphere Virtual Enterprise. He discusses hardware, hypervisor, JVM, application and data virtualization.

Virtualization and Security

While virtualization provides many benefits, security can not be a forgotten concept in its application.

Introduction to Agile for Traditional Project Managers

This session is specifically aimed at traditionally trained project managers who are new to Agile, and who would like to be able to relate the PMI's best practices to their Agile equivalents.