Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

WebAuth + Apache/Mongrel + RoR

Russ Allbery eagle at
Mon Jun 22 15:47:56 PDT 2009

Phil Lacroute <lacroute at> writes:

> I'm developing a Ruby-on-Rails application for a group within the
> Stanford domain and I'd like to use webauth to authenticate users.
> Currently we are using Apache proxying to mongrel which runs the RoR
> code.  We put the authentication directives in the apache config, but
> because of the proxying the application does not have access to the
> username (which it needs).  I'm aware of the RequestHeader directive
> for forwarding environment variables but I'm concerned about the
> security of this approach.

What do you find concerning about the security of that approach?  It's
the approach we're using all over the place for Tomcat, if I understand
it properly.  Just make sure that mongrel will only talk to Apache (by
listening only to localhost, for instance).

Russ Allbery <eagle at>
Technical Lead, ITS UNIX Systems and Applications, Stanford University

More information about the webauth-info mailing list