Forum: Ruby on Rails Using Apache auth to secure certain areas of Rails app

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
311e09a61c1d72c25c99d8f6bb580d28?d=identicon&s=25 Ed Lau (edlau)
on 2006-05-18 19:53
Hello! My setup is Rails 1.1 with Apache 2.x proxying the Rails stuff to
lighttpd. I know how to set up Apache to secure my entire Rails app to
require a username/password challenge. Is it possible to set up the
challenge for only parts of my application? E.g., let's say I have a
"pub" controller whose views are accessible to anyone.

I am already implementing user authentication in my Rails app (checking
each request w/ before_filter). However, before I'm ready to go public,
I'd like an extra level of security with Apache authentication. But I'm
okay with certain sections like RSS feeds and blog entries being freely
accessible. Since a Rails URL doesn't correspond to a physical directory
in the file system, I'm not sure how to set up the Apache access file.

Is it possible? If not, I'd like to hear other suggestions on
accomplishing the same result.

Thanks in advance.

--Ed Lau
7c4087d053eb02d099a17d91ba5e33b5?d=identicon&s=25 Brian Hughes (Guest)
on 2006-05-18 20:38
(Received via mailing list)
I recommend checking the Apache docs for Location and LocationMatch.
These are the block directives that you can use to perform actions
based on the URL path, irrespective of whether or not a physical
resource is being requested.

Ideally, you will have an overarching LocationMatch that you use to
set up your proxy directives, before handing off control to lighttpd
as the last statement in the block. If you want to do Apache-related
things inside that block, you can simply place more Location and/or
LocationMatch blocks, within the larger block, before you do the
proxy hand-off.

This would be a good way to tie into Apache's Kerberos and LDAP
authentication modules, should you choose to do so. Also, inside your
Rails app, you'll be able to check the value of request
["REMOTE_USER"] to get the name of the authenticated user.

-Brian
311e09a61c1d72c25c99d8f6bb580d28?d=identicon&s=25 Ed Lau (edlau)
on 2006-05-18 22:54
Thanks, Brian! I didn't know about Location and LocationMath. I'll look
into it.

--Ed

Brian Hughes wrote:
> I recommend checking the Apache docs for Location and LocationMatch.
> These are the block directives that you can use to perform actions
> based on the URL path, irrespective of whether or not a physical
> resource is being requested.
>
> Ideally, you will have an overarching LocationMatch that you use to
> set up your proxy directives, before handing off control to lighttpd
> as the last statement in the block. If you want to do Apache-related
> things inside that block, you can simply place more Location and/or
> LocationMatch blocks, within the larger block, before you do the
> proxy hand-off.
>
> This would be a good way to tie into Apache's Kerberos and LDAP
> authentication modules, should you choose to do so. Also, inside your
> Rails app, you'll be able to check the value of request
> ["REMOTE_USER"] to get the name of the authenticated user.
>
> -Brian
This topic is locked and can not be replied to.