Authenticating in Apache *before* Rails

I have a requirement where I need to authenticate a user connection
BEFORE it is handed off to Rails. Normally this is handled via an
.htacess file or use mod_auth_ldap or something similar. Here’s the
rub… I want Rails to be the sole writer of login & password
information. This means I need to get Apache to read the Rails database
and compare the HTTP credentials to the contents therein.

Anyone do this before? What mod_* did you use for Apache? Is there
another methodology or mechanism I should be investigating? Am I stuck
with moving all user data into LDAP and requiring both Apache and Rails
to use it?

I looked at adding a simple DB lookup to a Mongrel handler, but for my
purposes the handler would run too late (i.e. after the entire HTTP body
is read). I need this authentication to run as soon as the header is
complete. Plus, the Mongrel docs are pretty clear in saying that
authentication should be handled outside Mongrel by a static HTTP
server, Mongrel isn’t all things to all people, it’s just a pure HTTP
server, etc.

Thanks for your input.


If your user DB is just a plain old relational database, there should
be an apache mod_auth_* module for it. mod_auth_mysql, mod_auth_oracle,
mod_auth_odbc, etc. Whether you’ll have to modify the module or modify
your Rails app’s database a bit so they’re speaking the same kind of
password encryption is a question, but the ready-made Rails user auth
schemes out there are just querying one or two perfectly ordinary
tables, nothing exotic about them, and apache servers authenticate
against that sort of table all the time.