在HTTP认证方案咨询（使用请求头） [英] Advice on HTTP authentication scheme (using request headers)

问题描述

我有托管在Heroku上一个Rails应用程序，我使用代理服务限制访问。外部服务器充当所有请求的中介和处理用户身份验证。一旦用户通过验证，服务器（我认为LDAP）将用户名的请求头，并将其重定向到我的应用程序。

I have a rails app hosted on Heroku that am restricting access to by using a proxy service. The external server acts as intermediary for all requests and handles user authentication. Once a user has authenticated, the server (I think LDAP) adds the user name to the request header and redirects them to my app.

我想使用的用户名来自请求头在我的应用程序验证用户身份。基本上，如果用户不存在，我会创建与该用户名的用户（不需要密码），如果不是，我只想登录他们。我要存储用户在我的应用程序的数据库中。

I would like to use the username from the request header to authenticate users in my app. Basically if the user doesn't exist I would create a user with that username (no password required) and if not I would just log them in. I will be storing the users in my app's database.

我应该怎么做呢？是否有可能使用设计用于此目的？

How should I do this? Is it possible to use Devise for this purpose?

修改：我得到了它与设计这样的/自定义的监狱长战略工作：

Edit: I got it working with Devise/custom Warden strategy like this:

# config/initializers/my_strategy.rb
Warden::Strategies.add(:my_strategy) do 
  def valid? 
    true
  end 

  def authenticate! 
    if !request.headers["my_key"]
      fail!("You are not authorized to view this site.")
      redirect!("proxy_url")
    else
      username = request.headers["my_key"]
      user = User.find_by_username(username)

      if user.nil?
        user = User.create(:username => username)
      end

      success!(user)
    end
  end
end

#config/initializers/devise.rb
config.warden do |manager|  
  manager.default_strategies(:scope => :user).unshift :my_strategy
end

我需要作出这个作为防弹越好。有没有我可以采取其他安全措施，以确保有人无法伪造请求标头访问我的网站？

I need to make this as bullet proof as possible. Are there other security measures can I take to make sure someone can't spoof the request header and access my site?

推荐答案

我觉得用色器件可以多一点矫枉过正，但你可以。你只需要定义一个监狱长strategie。在色器件或者只使用监狱长在此目的。

I think using devise can be a little more overkill, but you can. You just need define a warden strategie. in devise or use only warden in this purpose.

这篇关于在HTTP认证方案咨询（使用请求头）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！