authenticating in Apache *before* Rails

I have a requirement where I need to authenticate a user connection BEFORE it is handed off to Rails. Normally this is handled via an .htacess file or use mod_auth_ldap or something similar. Here's the rub... I want Rails to be the sole writer of login & password information. This means I need to get Apache to read the Rails database and compare the HTTP credentials to the contents therein.

Anyone do this before? What mod_* did you use for Apache? Is there another methodology or mechanism I should be investigating? Am I stuck with moving all user data into LDAP and requiring both Apache and Rails to use it?

I looked at adding a simple DB lookup to a Mongrel handler, but for my purposes the handler would run too late (i.e. after the entire HTTP body is read). I need this authentication to run as soon as the header is complete. Plus, the Mongrel docs are pretty clear in saying that authentication should be handled outside Mongrel by a static HTTP server, Mongrel isn't all things to all people, it's just a pure HTTP server, etc.

Thanks for your input.


If your user DB is just a plain old relational database, there should be an apache mod_auth_* module for it. mod_auth_mysql, mod_auth_oracle, mod_auth_odbc, etc. Whether you'll have to modify the module or modify your Rails app's database a bit so they're speaking the same kind of password encryption is a question, but the ready-made Rails user auth schemes out there are just querying one or two perfectly ordinary tables, nothing exotic about them, and apache servers authenticate against that sort of table all the time.