Rails - Mar 2006 - Authentication and authorization of static content

Hello,

I''m a Java programmer looking to make my life easier. Thus,
I''m
considering using Rails for my next project. I''ve read chunks of the 
Agile book and it looks like authorizing users at the Controller level 
is dead easy to do. However, I have a need to password protect static 
content in my site. In the J2EE world, I would use a servlet filter to 
intercept requests and compare paths against database of roles. Can this 
be done in Rails? One more thing: if possible, can we avoid using 
container-managed security? I want to be able to customize the login 
process (things like deactivating an account after a number of bad login 
attempts).

Thanks for your help,

-Anthony

-- 
Posted via http://www.ruby-forum.com/.

Because Rails itself offers no "standard" login mechanism,
you can handle login and security in any way you see fit.

--  
-- Tom Mornini

On Mar 11, 2006, at 8:14 PM, Anthony Carlos wrote:
> Hello,
>
> I''m a Java programmer looking to make my life easier. Thus,
I''m
> considering using Rails for my next project. I''ve read chunks of
the
> Agile book and it looks like authorizing users at the Controller level
> is dead easy to do. However, I have a need to password protect static
> content in my site. In the J2EE world, I would use a servlet filter to
> intercept requests and compare paths against database of roles. Can  
> this
> be done in Rails? One more thing: if possible, can we avoid using
> container-managed security? I want to be able to customize the login
> process (things like deactivating an account after a number of bad  
> login
> attempts).
>
> Thanks for your help,
>
> -Anthony
>
> -- 
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

Tom,

Thanks for the reply. I understand what you''re saying about login for
my
web application pages. However, I have a need to protect static html 
pages from the general public. Does Rails have a mechanism to protect 
pages outside of the web application in, for example, a protected 
directory? Furthermore, can it be done without the use of security at 
the container level? (I still want to customize the login process, and 
the only authorization I know of through Apache is basic and uses 
.htaccess/.htpasswd files, which isn''t a good option for me).

When I used to work in PHP, I had to rename all my html content to end 
in the .php suffix, and then add a function call to the top of each page 
to see if a user was logged in and had authorization. I''m getting the 
sense that since Rails is working through cgi, there''s no way to filter
out each request. If I go with Rails, I''ll have to protect content by 
adding a function call at the top of each protected page in the same way 
I had to protect PHP pages.

Does that sound right?

Thanks again,

-Anthony

-- 
Posted via http://www.ruby-forum.com/.

I might be wrong, but I would assume, you could change .htaccess in
"public" directory, so that ALL requests (or a required subset) are
handled by dispatch.cgi and then you could set up routes.rb to intercept
calls to static content and do aaa and only then give the content back

Anthony Carlos wrote:
> Tom,
> 
> Thanks for the reply. I understand what you''re saying about login
for my
> web application pages. However, I have a need to protect static html 
> pages from the general public. Does Rails have a mechanism to protect 
> pages outside of the web application in, for example, a protected 
> directory? Furthermore, can it be done without the use of security at 
> the container level? (I still want to customize the login process, and 
> the only authorization I know of through Apache is basic and uses 
> .htaccess/.htpasswd files, which isn''t a good option for me).
> 
> When I used to work in PHP, I had to rename all my html content to end 
> in the .php suffix, and then add a function call to the top of each page 
> to see if a user was logged in and had authorization. I''m getting
the
> sense that since Rails is working through cgi, there''s no way to
filter
> out each request. If I go with Rails, I''ll have to protect content
by
> adding a function call at the top of each protected page in the same way 
> I had to protect PHP pages.
> 
> Does that sound right?
> 
> Thanks again,
> 
> -Anthony
-- 
Posted via http://www.ruby-forum.com/.

Cheltis,

Thanks for your reply. You''ve given me something to investigate. I have
to learn in more detail how Rails maps urls to actions. So far, it looks 
like routes.rb might be the golden ticket. On page 294 of the Agile 
Rails book, Dave Thomas shows how to set a catch-all route. Thus, a 
request could be routed to a controller action that checks AAA. 
Furthermore, I''m assuming that the controller can route to either the 
login page, the requested resource or send a 403 error (not authorized).

This is all still theoretical in my mind because I''ve got a bunch to 
learn. But so far, I''m glad that there appears to be hooks where I can 
create a filter instead of inserting function calls at the top of each 
page. I also have to see if the routing rules allow me to use single out 
specific directories. For example, /public/members_only/* might be the 
only directory that needs protection.

Thanks again. I''ve got some leads with which to work.

-Anthony


Cheltis wrote:
> I might be wrong, but I would assume, you could change .htaccess in
> "public" directory, so that ALL requests (or a required subset)
are
> handled by dispatch.cgi and then you could set up routes.rb to intercept
> calls to static content and do aaa and only then give the content back
-- 
Posted via http://www.ruby-forum.com/.

Anthony Carlos wrote:
> Tom,
> 
> Thanks for the reply. I understand what you''re saying about login
for my
> web application pages. However, I have a need to protect static html 
> pages from the general public. Does Rails have a mechanism to protect 
> pages outside of the web application in, for example, a protected 
> directory? Furthermore, can it be done without the use of security at 
> the container level? (I still want to customize the login process, and 
> the only authorization I know of through Apache is basic and uses 
> .htaccess/.htpasswd files, which isn''t a good option for me).
> 
> When I used to work in PHP, I had to rename all my html content to end 
> in the .php suffix, and then add a function call to the top of each page 
> to see if a user was logged in and had authorization. I''m getting
the
> sense that since Rails is working through cgi, there''s no way to
filter
> out each request. If I go with Rails, I''ll have to protect content
by
> adding a function call at the top of each protected page in the same way 
> I had to protect PHP pages.
You can either place your static pages inside a dedicated controller, or 
use one of your existing controllers if that is more appropriate.

Here''s a dedicated controller using the acts_as_authenticated plugin

app/controller/static_controller.rb:
class StaticController < ApplicationController
   before_filter :login_required, :except => [:about, :index]
end

And the your static pages inside app/view/static (these pages are just 
html, althougth

about.rhtml
global_passwords.rhtml
index.rhtml
secret_stuff.rhtml

This gives you a very flexible authentication mechanism, but it''s not 
"outside the web application," although these pages can be pure html,
or
you could use a static layout to customize headers, footers and 
navigation if you wanted.

Ray