关于 HTTP 身份验证方案的建议(使用请求标头)
我有一个在 Heroku 上托管的 Rails 应用程序,它通过使用代理服务来限制访问。外部服务器充当所有请求的中介并处理用户身份验证。用户通过身份验证后,服务器(我认为是 LDAP)会将用户名添加到请求标头并将其重定向到我的应用程序。
我想使用请求标头中的用户名来对我的应用程序中的用户进行身份验证。基本上,如果用户不存在,我会使用该用户名创建一个用户(不需要密码),如果不存在,我只会登录他们。我会将用户存储在我的应用程序的数据库中。
我该怎么做?是否可以使用 Devise 来实现此目的?
编辑:我让它与设计/自定义守望者策略一起工作,如下所示:
# config/initializers/my_strategy.rb
Warden::Strategies.add(:my_strategy) do
def valid?
true
end
def authenticate!
if !request.headers["my_key"]
fail!("You are not authorized to view this site.")
redirect!("proxy_url")
else
username = request.headers["my_key"]
user = User.find_by_username(username)
if user.nil?
user = User.create(:username => username)
end
success!(user)
end
end
end
#config/initializers/devise.rb
config.warden do |manager|
manager.default_strategies(:scope => :user).unshift :my_strategy
end
我需要使其尽可能防弹。我可以采取其他安全措施来确保某人无法欺骗请求标头并访问我的网站吗?
I have a rails app hosted on Heroku that am restricting access to by using a proxy service. The external server acts as intermediary for all requests and handles user authentication. Once a user has authenticated, the server (I think LDAP) adds the user name to the request header and redirects them to my app.
I would like to use the username from the request header to authenticate users in my app. Basically if the user doesn't exist I would create a user with that username (no password required) and if not I would just log them in. I will be storing the users in my app's database.
How should I do this? Is it possible to use Devise for this purpose?
Edit: I got it working with Devise/custom Warden strategy like this:
# config/initializers/my_strategy.rb
Warden::Strategies.add(:my_strategy) do
def valid?
true
end
def authenticate!
if !request.headers["my_key"]
fail!("You are not authorized to view this site.")
redirect!("proxy_url")
else
username = request.headers["my_key"]
user = User.find_by_username(username)
if user.nil?
user = User.create(:username => username)
end
success!(user)
end
end
end
#config/initializers/devise.rb
config.warden do |manager|
manager.default_strategies(:scope => :user).unshift :my_strategy
end
I need to make this as bullet proof as possible. Are there other security measures can I take to make sure someone can't spoof the request header and access my site?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我认为使用 devise 可能有点矫枉过正,但你可以。您只需要定义一个典狱长策略。为此目的只能设计或使用典狱长。
I think using devise can be a little more overkill, but you can. You just need define a warden strategie. in devise or use only warden in this purpose.