The ELC Community Blog

A knowledge exchange on Ruby on Rails and Agile Development

HTTP Auth with Restful Authentication

by josh on April 20, 2007

If you've used the RESTful Authentication plugin much, you probably won't be surprised to hear that it utilizes HTTP RequestHeaders whenever provided. This is a really cool feature if you want login information provided by a .htaccess file to propagate through to your authentication system and automatically log a user into your site (assuming the user info is identical). However, if that's not what you want, then it might just get in your way.

HTTP Auth is deprecated in most cases, but remains extremely useful for testing and staging sites where you need to lock out guests, but preserve all functionality of the site. Consider a project where a viewer (client) needs to be able to register for the site, as well as log into the site. It wouldn't be very helpful if RESTful Authentication sent a client past your registration form when they provide their HTTP Auth info.

To prevent this from happening you need to delete some RequestHeaders. Add the following to the config file that corresponds to your staging environment. If you're using RightScale, this will be in the .common file that corresponds to your app.

   1  RequestHeader set X-HTTP_AUTHORIZATION ""
   2  RequestHeader set HTTP_AUTHORIZATION ""
   3  RequestHeader set AUTHORIZATION ""

You can put the htaccess information in here as well, obviating the need to edit rails' default .htaccess file. Put it right under where we deleted the RequestHeaders.

   1  ‹Location /›
   2  AuthUserFile /path/to/your/passwd/file
   3  AuthName "Your Private Area Message Here"
   4  Order allow,deny
   5  Allow from all
   6  ‹/Location›

Put all this stuff right under:

   1  DocumentRoot ...