Help me understand rails authentication w/r/t assets, like swfs.

Question

I am a rails noob. I am having a problem conceptualizing how assets work in an authenticated system.

All of the tutorials I've seen so far talk about putting your swfs in the public folder and embedding them in your view. However, the swf I'm using is a flex gui that should only be used by users logged-in through restful-authentication. I imagine that putting the gui into the public folder would be defeating the whole purpose of having an authentication system.

So what is everybody doing to restrict access to this kind static content?

Answer 1

You want to be a bit careful here. If your system is properly secured, an unauthenticated user who has the Flex GUI can't use it, right? He would also have to be logged in. So, is there any reason not to let any user download the SWF file?

If having the SWF file alone is enough "authentication" to use the site, you have a security hole. Consider

a) A user could give a copy of the downloaded SWF file to someone else, who could then use it, even if he were unable to download it from your site.

b) The Flex GUI uses HTTP to communicate with your site, to retrieve data and send commands. Anybody can write a program or use other means to send the same HTTP requests, without using the Flex GUI.