RoR:在会话中存储 HTTP_AUTHORIZATION 以访问 .htaccess 受保护文件夹
在我的 Ruby on Rails 应用程序中,我尝试使用 apache .htaccess 功能来保护部分公共文件夹,以防止未经身份验证的人员访问文件。 所以我放置了一个 .htpasswd 文件来保护这个文件夹并相应地设置 apache,这项工作...提示我输入登录名/密码来访问这些文件。
我使用 Restful 身份验证插件来验证用户的凭据。我的想法是:对
- 用户进行身份验证
- 如果用户已通过身份验证,则设置 HTTP_AUTHORIZATION 变量和 存储它以便我可以访问 受保护文件夹的文件没有 浏览器提示我 login/password
我在应用程序控制器中做了什么:
helper_method :set_http_auth
def set_http_auth
request.env['HTTP_AUTHORIZATION'] = AutionController::HttpAuthentication::Basic.encode_credentials("myLogin","myPassword")
end
然后调用控制器中的 before_filter 来设置值。
看起来它正在完成这项工作,我将 HTTP_AUTHORIZATION 设置到我的 request.env 数组中,但不幸的是,如果我尝试从受保护的文件夹(例如图像)获取文件,浏览器仍然提示我输入登录/密码。
如果有人有想法,我洗耳恭听:) 谢谢!
In my Ruby on Rails application, I am trying to protect part of the public folder using apache .htaccess feature to prevent access from files to non-authentified people.
So I have place a .htpasswd file to protect this folder and set up apache accordingly and this work... prompting me for login/password to access the files.
I use the restful authentication plugin to authentify users to their credential. My idea was to do:
- authentify the user
- if the user is authentified, set the
HTTP_AUTHORIZATION variable and
store it so that I can access the
protected folder's files without the
browser prompting me for
login/password
What I did, in the application controller:
helper_method :set_http_auth
def set_http_auth
request.env['HTTP_AUTHORIZATION'] = AutionController::HttpAuthentication::Basic.encode_credentials("myLogin","myPassword")
end
Then call the before_filter in the controller to set the value.
It seems like it's doing the job, I get HTTP_AUTHORIZATION set into my request.env array but unfortunately the browser still prompts me for login/passwd if i try to get file from the protected folder (such as image).
If anybody has an idea, I'm all ears :) Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
浏览了各种解决方案,最好的似乎是使用 mod_xsendfile:
sudo apt-get install mod_xsendfile
这不会占用您的rails进程(apache在收到x-sendfile标头后在公共目录之外提供文件本身)。
因此,这是保护文件最有效且非常简单的方法。随意使用您自己的身份验证。 Nginx 和 lighthttpd 有类似的解决方案......
Looked around various solutions, the best seems to use mod_xsendfile:
sudo apt-get install mod_xsendfile
This won't tie up your rails process (apache serves files itself outside public dir upon receiving the x-sendfile header).
So it's the most efficient and also pretty easy way to protect your files. Use your own authentication at will. Nginx and lighthttpd have similar solutions...
我找到了一个可能合适的解决方案:此处但这需要对我的应用程序进行重大更改。
因此,我选择使用 apache cookie 检测来保护该文件夹,然后在尝试访问该文件时检查 cookie 是否存在(cookie 在用户身份验证时设置)。
如果您想要详细信息,请给我发电子邮件...
I found a solution that could be suitable: Here but it would require major changes in my application.
So instead, I chose to protect the folder using apache cookie detection and then check if the cookie was existing when trying to access the file (the cookie getting set upon user's authentication).
Email me is you want details...