In my Rails 2.3 app we have an admin section that is protected by basic HTTP authentication. This has worked on our production and staging environments for years. Recently I setup a new environment to demo a long-running feature branch, and to differentiate between that and the other staging server I set it to run using a custom "redesign" environment. So now my Admin::BaseController
looks like this:
class Admin::BaseController < ApplicationController
before_filter :verify_access
def verify_access
logger.info "\n\n-- running verify_access filter on #{RAILS_ENV}\n"
if %w(production staging redesign).include?(RAILS_ENV)
logger.info "\n-- should send authentication\n"
authenticate_or_request_with_http_basic("Restricted Access") do |username, password|
logger.info "\nauthentication received: {username}::#{password}\n"
username == 'myusername'
password == 'mypassword'
end
end
end
end
For some reason, the new server ALWAYS responds Unauthorized and doesn't offer any login dialog, not even if I quit and reopen my browser, not even if I use a private browser session, not even if I specify a username in the URL (i.e. http://username@www.mysite.com/admin
). It just automatically redirects me to the root and adds ?unauthorized=true
to the query string, though no where in my application code is there anything that would do that.
I know it's hitting the verify_access filter, because I can see it in the log file:
Processing Admin::OrdersController#index (for xx.xx.xx.xx at 2014-05-09 05:56:59) [GET]
Parameters: {"action"=>"index", "controller"=>"admin/orders"}
-- running verify_access filter on redesign
-- should send authentication
Filter chain halted as [:verify_access] rendered_or_redirected.
Completed in 25ms (View: 21, DB: 1) | 401 Unauthorized [http://www.mydomain.com/admin/orders]
Processing IndexController#show (for xx.xx.xx.xx at 2014-05-09 05:56:59) [GET]
Parameters: {"action"=>"show", "controller"=>"index", "unauthenticated"=>"true"}
Rendering index/show
Completed in 30ms (View: 27, DB: 3) | 200 OK [http://www.mydomain.com/?unauthenticated=true]
In the networking panel in Chrome, the request for the admin page actually shows that it's receiving a 302 Found response from the server, even though Rails is sending a 401 Unauthorized.
GET /admin/orders HTTP/1.1
Host: www.mydomain.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: _myapp_session=xxx
HTTP/1.1 302 Found
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
Status: 302
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.10
Location: /?unauthenticated=true
Server: nginx/0.7.65 + Phusion Passenger 2.2.10 (mod_rails/mod_rack)
The new server is a clone of the original staging server, so the architecture is exactly the same, and all the same chef recipes were used. Any ideas on what's going on here?