This plugin provides a simple interface to various Apache authentication systems to allow your Rails application to find out the currently logged in user. The plugin interface is similar to the Acts As Authenticated plugin, but it does no actual authentication.

Apache authentication modules set the REMOTE_USER variable to the user name that the user used to authenticate themselves. This variable is passed to CGI and FastCGI applications as is.

For proxy applications, e.g. mongrel, you need to write some nifty Rewrite rules to transfer the value of REMOTE_USER to your own variable:

  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule .* - [E=RU:%1]
  RequestHeader add REMOTE_USER %{RU}e

Here’s what this Rewrite-fu does:

Line 2: Use lookahead access to get REMOTE_USER set by authentication module Line 3: Transfer the results of line 2 into an environment variable called RU Line 4: Set a Request header to the environment variable from line 3.

In the proxy case, the prefix HTTP_ will be added, so the variable in your app will be HTTP_REMOTE_USER. You can override the default remote_property_name method in your code to allow for this case.

Usage:

  1. Install plugin
  2. include RemoteUser into controllers that need it
  3. Implement the find_user method to load your user model
  4. Implement the access_denied! method
  5. Implement before_filter for login_required for actions you want to protect
  6. Optionally implement remote_property_name to match your Apache configuration

Install plugin

  script/plugin install http://craz8.com/svn/trunk/plugins/authenticate_as_remote_user/
  rake test:plugins PLUGIN=authenticate_as_remote_user

(View the plugin source code)

Include RemoteUser into controllers

  class ApplicationController < ActionController::Base
    include RemoteUser
    ...

Implement the find_user method to load your user model

  class ApplicationController < ActionController::Base
    include RemoteUser

    def find_user(remote_name)
      User.find_by_name(remote_name)
    end

Implement the access_denied method

  def access_denied!
    redirect_to access_denied_path and return false
  end

Implement before_filter for login_required for actions you want to protect

  class SomeController < ApplicationController

      before_filter :login_required, :only => [ :update, create, destroy ]

Optionally implement remote_property_name to match your Apache configuration

  def remote_property_name
    "HTTP_REMOTE_USER"
  end