Rails - May 2006 - Using Apache auth to secure certain areas of Rails app

Hello! My setup is Rails 1.1 with Apache 2.x proxying the Rails stuff to 
lighttpd. I know how to set up Apache to secure my entire Rails app to 
require a username/password challenge. Is it possible to set up the 
challenge for only parts of my application? E.g., let''s say I have a 
"pub" controller whose views are accessible to anyone.

I am already implementing user authentication in my Rails app (checking 
each request w/ before_filter). However, before I''m ready to go public,
I''d like an extra level of security with Apache authentication. But
I''m
okay with certain sections like RSS feeds and blog entries being freely 
accessible. Since a Rails URL doesn''t correspond to a physical
directory
in the file system, I''m not sure how to set up the Apache access file.

Is it possible? If not, I''d like to hear other suggestions on 
accomplishing the same result.

Thanks in advance.

--Ed Lau

-- 
Posted via http://www.ruby-forum.com/.

I recommend checking the Apache docs for Location and LocationMatch.  
These are the block directives that you can use to perform actions  
based on the URL path, irrespective of whether or not a physical  
resource is being requested.

Ideally, you will have an overarching LocationMatch that you use to  
set up your proxy directives, before handing off control to lighttpd  
as the last statement in the block. If you want to do Apache-related  
things inside that block, you can simply place more Location and/or  
LocationMatch blocks, within the larger block, before you do the  
proxy hand-off.

This would be a good way to tie into Apache''s Kerberos and LDAP  
authentication modules, should you choose to do so. Also, inside your  
Rails app, you''ll be able to check the value of request 
["REMOTE_USER"] to get the name of the authenticated user.

-Brian


On May 18, 2006, at 01:53 PM, Ed Lau wrote:
> Hello! My setup is Rails 1.1 with Apache 2.x proxying the Rails  
> stuff to
> lighttpd. I know how to set up Apache to secure my entire Rails app to
> require a username/password challenge. Is it possible to set up the
> challenge for only parts of my application? E.g., let''s say I have
a
> "pub" controller whose views are accessible to anyone.
>
> I am already implementing user authentication in my Rails app  
> (checking
> each request w/ before_filter). However, before I''m ready to go  
> public,
> I''d like an extra level of security with Apache authentication.
But
> I''m
> okay with certain sections like RSS feeds and blog entries being  
> freely
> accessible. Since a Rails URL doesn''t correspond to a physical  
> directory
> in the file system, I''m not sure how to set up the Apache access
file.
>
> Is it possible? If not, I''d like to hear other suggestions on
> accomplishing the same result.
>
> Thanks in advance.
>
> --Ed Lau

Thanks, Brian! I didn''t know about Location and LocationMath.
I''ll look
into it.

--Ed

Brian Hughes wrote:
> I recommend checking the Apache docs for Location and LocationMatch.
> These are the block directives that you can use to perform actions
> based on the URL path, irrespective of whether or not a physical
> resource is being requested.
> 
> Ideally, you will have an overarching LocationMatch that you use to
> set up your proxy directives, before handing off control to lighttpd
> as the last statement in the block. If you want to do Apache-related
> things inside that block, you can simply place more Location and/or
> LocationMatch blocks, within the larger block, before you do the
> proxy hand-off.
> 
> This would be a good way to tie into Apache''s Kerberos and LDAP
> authentication modules, should you choose to do so. Also, inside your
> Rails app, you''ll be able to check the value of request
> ["REMOTE_USER"] to get the name of the authenticated user.
> 
> -Brian

-- 
Posted via http://www.ruby-forum.com/.