Authentication and authorization of static content


#1

Hello,

I’m a Java programmer looking to make my life easier. Thus, I’m
considering using Rails for my next project. I’ve read chunks of the
Agile book and it looks like authorizing users at the Controller level
is dead easy to do. However, I have a need to password protect static
content in my site. In the J2EE world, I would use a servlet filter to
intercept requests and compare paths against database of roles. Can this
be done in Rails? One more thing: if possible, can we avoid using
container-managed security? I want to be able to customize the login
process (things like deactivating an account after a number of bad login
attempts).

Thanks for your help,

-Anthony


#2

Because Rails itself offers no “standard” login mechanism,
you can handle login and security in any way you see fit.


– Tom M.


#3

Tom,

Thanks for the reply. I understand what you’re saying about login for my
web application pages. However, I have a need to protect static html
pages from the general public. Does Rails have a mechanism to protect
pages outside of the web application in, for example, a protected
directory? Furthermore, can it be done without the use of security at
the container level? (I still want to customize the login process, and
the only authorization I know of through Apache is basic and uses
.htaccess/.htpasswd files, which isn’t a good option for me).

When I used to work in PHP, I had to rename all my html content to end
in the .php suffix, and then add a function call to the top of each page
to see if a user was logged in and had authorization. I’m getting the
sense that since Rails is working through cgi, there’s no way to filter
out each request. If I go with Rails, I’ll have to protect content by
adding a function call at the top of each protected page in the same way
I had to protect PHP pages.

Does that sound right?

Thanks again,

-Anthony


#4

Cheltis,

Thanks for your reply. You’ve given me something to investigate. I have
to learn in more detail how Rails maps urls to actions. So far, it looks
like routes.rb might be the golden ticket. On page 294 of the Agile
Rails book, Dave T. shows how to set a catch-all route. Thus, a
request could be routed to a controller action that checks AAA.
Furthermore, I’m assuming that the controller can route to either the
login page, the requested resource or send a 403 error (not authorized).

This is all still theoretical in my mind because I’ve got a bunch to
learn. But so far, I’m glad that there appears to be hooks where I can
create a filter instead of inserting function calls at the top of each
page. I also have to see if the routing rules allow me to use single out
specific directories. For example, /public/members_only/* might be the
only directory that needs protection.

Thanks again. I’ve got some leads with which to work.

-Anthony

Cheltis wrote:

I might be wrong, but I would assume, you could change .htaccess in
“public” directory, so that ALL requests (or a required subset) are
handled by dispatch.cgi and then you could set up routes.rb to intercept
calls to static content and do aaa and only then give the content back


#5

I might be wrong, but I would assume, you could change .htaccess in
“public” directory, so that ALL requests (or a required subset) are
handled by dispatch.cgi and then you could set up routes.rb to intercept
calls to static content and do aaa and only then give the content back

Anthony C. wrote:

Tom,

Thanks for the reply. I understand what you’re saying about login for my
web application pages. However, I have a need to protect static html
pages from the general public. Does Rails have a mechanism to protect
pages outside of the web application in, for example, a protected
directory? Furthermore, can it be done without the use of security at
the container level? (I still want to customize the login process, and
the only authorization I know of through Apache is basic and uses
.htaccess/.htpasswd files, which isn’t a good option for me).

When I used to work in PHP, I had to rename all my html content to end
in the .php suffix, and then add a function call to the top of each page
to see if a user was logged in and had authorization. I’m getting the
sense that since Rails is working through cgi, there’s no way to filter
out each request. If I go with Rails, I’ll have to protect content by
adding a function call at the top of each protected page in the same way
I had to protect PHP pages.

Does that sound right?

Thanks again,

-Anthony


#6

Anthony C. wrote:

When I used to work in PHP, I had to rename all my html content to end
in the .php suffix, and then add a function call to the top of each page
to see if a user was logged in and had authorization. I’m getting the
sense that since Rails is working through cgi, there’s no way to filter
out each request. If I go with Rails, I’ll have to protect content by
adding a function call at the top of each protected page in the same way
I had to protect PHP pages.

You can either place your static pages inside a dedicated controller, or
use one of your existing controllers if that is more appropriate.

Here’s a dedicated controller using the acts_as_authenticated plugin

app/controller/static_controller.rb:
class StaticController < ApplicationController
before_filter :login_required, :except => [:about, :index]
end

And the your static pages inside app/view/static (these pages are just
html, althougth

about.rhtml
global_passwords.rhtml
index.rhtml
secret_stuff.rhtml

This gives you a very flexible authentication mechanism, but it’s not
“outside the web application,” although these pages can be pure html, or
you could use a static layout to customize headers, footers and
navigation if you wanted.

Ray