I am developing a little application within instantrails, suppose to work in an intranet environment.
The application let user book a part number, by filling some information. For better user experience, I plan to capture the username at the other end that make the booking, instead of creating another layer of login feature and require the user to login again. There is no complex authentication needed, just capture the username and store it together with other information.
ENV[‘user’] will give you the username that has the rails application running, which is not what we want.
ENV[‘remote_user’] return nothing at all.
I read through quite a few discussions on the net, it seems like apache didn’t actually pass the remote_user value to mongrel, hence rails application couldn’t call out remote_user. To fix that, we will need to modify on the apache configuration file, httpd.conf, and .htaccess. Admittedly, I really know close to nothing about the setup of these files, and have a hard time following the suggested steps, as to where to add the suggested line of codes, which file to modify, etc, etc.
So I figure, if we forgo apache in the setup, will it be easier to fetch the remote_user value directly from mongrel? or from thin if it is the web server being used.
But still, I just couldn’t get it working.
Is there any gem or plugin need to be installed before this remote_user tingy can be pass to rails application?
Anton
Hi!
May be ENV[‘LOGNAME’] you need?
kahfei
Hi Anton,
Thanks for the advise.
Tried that, but didn’t work though.
Are there any prerequisite for that to work?
Anton
Try this:
script/console(rails console in rails 3)
puts ENV.inspect
kahfei
Hi Anton,
Hmmm…seems it didn’t really show up any information about the user name on the client side, all the info from ENV.inspect are from the server…
Kevin
If you’re going to access it in Rails, you need request.env[‘HTTP_REMOTE_USER’] (note: ‘request.env’, ‘HTTP_’ and uppercase). But that doesn’t work if your mongrels are proxied behind Apache (or nginx or lightty or whatever).
In any case, it sounds like what you’re trying to do is grab the user’s *desktop* username, which isn’t really possible (you might be able to do AD-integrated HTTP BASIC authentication, but then you’re tied to Windows and IE). It’s also _totally_ insecure to trust what someone’s browser says is their username—I could make my browser tell you my username is ‘admin’ and get full access without authentication. Even if it’s for an “intranet” app, if that app is on an Internet-accessible web server, you’re vulnerable.
What I do for our intranet site is HTTP BASIC auth thru Apache, which then proxies the username as I described in my post (which you referenced—http://kbullock.ringworld.org/2010/06/05/apache-rails-and-remote_user/). You might check out the Apache docs on setting up authentication (http://httpd.apache.org/docs/2.2/howto/auth.html). In addition, in order to duplicate my setup, you need to have “AllowOverride all” set on your virtualhost or directory in the Apache config, so that the .htaccess file in your RAILS_ROOT/public/ folder gets used.
Hope that’s helpful.
kahfei
Hi Kevin, thanks for dropping by, and your advice…really appreciate it.
Ya, that is what I understand from various discussions and articles on the net that if mongrels are proxied behind apache, we wouldn’t be able to get ‘HTTP_REMOTE_USER’.
Basically, it is an intranet application, and the capturing of username is not for any user authentication or authorization purpose, solely to fill up the creator field in the record, and the user base don’t really have a lot of administrator rights on their computer (running Windows), so what they could do with it is pretty limited.
But I fully agree that it is not a secure way of handling this. Will look further on your post and the apache docs, or I might just let the user fill in a free text field for that information, just to save the hustle. :-).
Thanks again.