I''m working on a project that will have a secure section. I''d like to be able to set things up so that certain actions are accessed only via SSL, and the rest of the site is accessed through normal HTTP. What''s the best way to go about doing that? Can I write some sort of filter and specify the actions to be accessed via SSL in the controller? Should I use .htaccess? I''m sure this would be a common thing, so hopefully you guys can give me your experiences. Thanks, Pat
Michael Koziarski
2005-May-09 19:46 UTC
Re: Ensuring separation between SSL and non-SSL sections
On 5/10/05, Pat Maddox <pergesu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I''m working on a project that will have a secure section. I''d like to > be able to set things up so that certain actions are accessed only via > SSL, and the rest of the site is accessed through normal HTTP. What''s > the best way to go about doing that? Can I write some sort of filter > and specify the actions to be accessed via SSL in the controller? > Should I use .htaccess? I''m sure this would be a common thing, so > hopefully you guys can give me your experiences.You can detect the protocol the user is using by looking at @request.protocol. So you could write a simple filter that ensured @request.protocol is https and send them to an error page or the encrypted version if not.> Thanks, > Pat > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Cheers Koz
> You can detect the protocol the user is using by looking at > @request.protocol. So you could write a simple filter that ensured > @request.protocol is https and send them to an error page or the > encrypted version if not.Hello, Or to redirect to the https version in the rails way ? Thank you
Im working on something similar now. What I have so far is: in application.rb: def check_ssl unless @request.ssl? redirect_to :controller => '''' return false <----------- this line is important! end end in my controllers I want ssl only: before_filter :check_ssl As you can tell its extremely simplistic. If the user goes to a controller than I only want to allow SSL for, it redirects them back to the root. I suppose you could add :except => or :only => pieces to the filter (not sure if that works automagically or if theres something that needs to be done for that). You could also redirect to the https version if you want. I hope that helps a bit, and if anyone wants to comment on how I could make that any better Im all ears! Joe _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Justin Dossey
2005-Sep-05 15:54 UTC
Re: Ensuring separation between SSL and non-SSL sections
I did the same thing! Except I went a step farther, and overrode url_for to support a new parameter, :ssl => true. I know I can say :protocol => ''https://'' and :only_path => false, but once you''re in an SSL section, you have to be careful with default_url_for_options and such. So with my new url_for, I get support for SSL on any URL simply by passing in the SSL parameter. Furthermore, I can put a constant in an environments/ file and control SSL for the entire site, e.g. redirect_to :controller => ''payment'', :action => ''process'', :ssl => ENABLE_SSL allows webrick-style development without code modification. -- Justin Dossey On Sun, 4 Sep 2005, Joe Noon wrote:> Im working on something similar now. What I have so far is: > > in application.rb: > > def check_ssl > unless @request.ssl? > redirect_to :controller => '''' > return false <----------- this line is important! > end > end > > in my controllers I want ssl only: > > before_filter :check_ssl > > As you can tell its extremely simplistic. If the user goes to a controller > than I only want to allow SSL for, it redirects them back to the root. I > suppose you could add :except => or :only => pieces to the filter (not sure > if that works automagically or if theres something that needs to be done for > that). You could also redirect to the https version if you want. > > I hope that helps a bit, and if anyone wants to comment on how I could make > that any better Im all ears! > > Joe >