Search Mailing List Archives
WebAuth + Apache/Mongrel + RoR
Russ Allbery
eagle at windlord.stanford.edu
Mon Jun 22 15:47:56 PDT 2009
Phil Lacroute <lacroute at stanford.edu> writes:
> I'm developing a Ruby-on-Rails application for a group within the
> Stanford domain and I'd like to use webauth to authenticate users.
> Currently we are using Apache proxying to mongrel which runs the RoR
> code. We put the authentication directives in the apache config, but
> because of the proxying the application does not have access to the
> username (which it needs). I'm aware of the RequestHeader directive
> for forwarding environment variables but I'm concerned about the
> security of this approach.
What do you find concerning about the security of that approach? It's
the approach we're using all over the place for Tomcat, if I understand
it properly. Just make sure that mongrel will only talk to Apache (by
listening only to localhost, for instance).
--
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS UNIX Systems and Applications, Stanford University
More information about the webauth-info
mailing list