Forum: Ruby on Rails Authentication and authorization of static content

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
8f3739e3b34bfea19fd381500d8a8fe6?d=identicon&s=25 Anthony Carlos (Guest)
on 2006-03-12 05:14
Hello,

I'm a Java programmer looking to make my life easier. Thus, I'm
considering using Rails for my next project. I've read chunks of the
Agile book and it looks like authorizing users at the Controller level
is dead easy to do. However, I have a need to password protect static
content in my site. In the J2EE world, I would use a servlet filter to
intercept requests and compare paths against database of roles. Can this
be done in Rails? One more thing: if possible, can we avoid using
container-managed security? I want to be able to customize the login
process (things like deactivating an account after a number of bad login
attempts).

Thanks for your help,

-Anthony
59de94a56fd2c198f33d9515d1c05961?d=identicon&s=25 Tom Mornini (Guest)
on 2006-03-12 20:34
(Received via mailing list)
Because Rails itself offers no "standard" login mechanism,
you can handle login and security in any way you see fit.

--
-- Tom Mornini
8f3739e3b34bfea19fd381500d8a8fe6?d=identicon&s=25 Anthony Carlos (acarlos)
on 2006-03-12 22:39
Tom,

Thanks for the reply. I understand what you're saying about login for my
web application pages. However, I have a need to protect static html
pages from the general public. Does Rails have a mechanism to protect
pages outside of the web application in, for example, a protected
directory? Furthermore, can it be done without the use of security at
the container level? (I still want to customize the login process, and
the only authorization I know of through Apache is basic and uses
.htaccess/.htpasswd files, which isn't a good option for me).

When I used to work in PHP, I had to rename all my html content to end
in the .php suffix, and then add a function call to the top of each page
to see if a user was logged in and had authorization. I'm getting the
sense that since Rails is working through cgi, there's no way to filter
out each request. If I go with Rails, I'll have to protect content by
adding a function call at the top of each protected page in the same way
I had to protect PHP pages.

Does that sound right?

Thanks again,

-Anthony
C5b6840775639751136a320d3cb47b12?d=identicon&s=25 Cheltis (Guest)
on 2006-03-12 23:22
I might be wrong, but I would assume, you could change .htaccess in
"public" directory, so that ALL requests (or a required subset) are
handled by dispatch.cgi and then you could set up routes.rb to intercept
calls to static content and do aaa and only then give the content back

Anthony Carlos wrote:
> Tom,
>
> Thanks for the reply. I understand what you're saying about login for my
> web application pages. However, I have a need to protect static html
> pages from the general public. Does Rails have a mechanism to protect
> pages outside of the web application in, for example, a protected
> directory? Furthermore, can it be done without the use of security at
> the container level? (I still want to customize the login process, and
> the only authorization I know of through Apache is basic and uses
> .htaccess/.htpasswd files, which isn't a good option for me).
>
> When I used to work in PHP, I had to rename all my html content to end
> in the .php suffix, and then add a function call to the top of each page
> to see if a user was logged in and had authorization. I'm getting the
> sense that since Rails is working through cgi, there's no way to filter
> out each request. If I go with Rails, I'll have to protect content by
> adding a function call at the top of each protected page in the same way
> I had to protect PHP pages.
>
> Does that sound right?
>
> Thanks again,
>
> -Anthony
8f3739e3b34bfea19fd381500d8a8fe6?d=identicon&s=25 Anthony Carlos (acarlos)
on 2006-03-13 00:11
Cheltis,

Thanks for your reply. You've given me something to investigate. I have
to learn in more detail how Rails maps urls to actions. So far, it looks
like routes.rb might be the golden ticket. On page 294 of the Agile
Rails book, Dave Thomas shows how to set a catch-all route. Thus, a
request could be routed to a controller action that checks AAA.
Furthermore, I'm assuming that the controller can route to either the
login page, the requested resource or send a 403 error (not authorized).

This is all still theoretical in my mind because I've got a bunch to
learn. But so far, I'm glad that there appears to be hooks where I can
create a filter instead of inserting function calls at the top of each
page. I also have to see if the routing rules allow me to use single out
specific directories. For example, /public/members_only/* might be the
only directory that needs protection.

Thanks again. I've got some leads with which to work.

-Anthony


Cheltis wrote:
> I might be wrong, but I would assume, you could change .htaccess in
> "public" directory, so that ALL requests (or a required subset) are
> handled by dispatch.cgi and then you could set up routes.rb to intercept
> calls to static content and do aaa and only then give the content back
E28c35323f624b8b9ed8712e25105454?d=identicon&s=25 Ray Baxter (Guest)
on 2006-03-13 02:28
(Received via mailing list)
Anthony Carlos wrote:
>
> When I used to work in PHP, I had to rename all my html content to end
> in the .php suffix, and then add a function call to the top of each page
> to see if a user was logged in and had authorization. I'm getting the
> sense that since Rails is working through cgi, there's no way to filter
> out each request. If I go with Rails, I'll have to protect content by
> adding a function call at the top of each protected page in the same way
> I had to protect PHP pages.

You can either place your static pages inside a dedicated controller, or
use one of your existing controllers if that is more appropriate.

Here's a dedicated controller using the acts_as_authenticated plugin

app/controller/static_controller.rb:
class StaticController < ApplicationController
   before_filter :login_required, :except => [:about, :index]
end

And the your static pages inside app/view/static (these pages are just
html, althougth

about.rhtml
global_passwords.rhtml
index.rhtml
secret_stuff.rhtml

This gives you a very flexible authentication mechanism, but it's not
"outside the web application," although these pages can be pure html, or
you could use a static layout to customize headers, footers and
navigation if you wanted.

Ray
This topic is locked and can not be replied to.