Thin, Sinatra, and intercepting static file request to do CAS authentication

I'm using the casrack-the-authenticator gem for CAS authentication. My server is running Thin on top of Sinatra. I've gotten the CAS authentication bit working, but I'm not sure how to tell Rack to intercept "/index.html" requests to confirm the CAS login, 开发者_开发问答and if the user is not allowed to view the page, return a HTTP 403 response instead of serving the actual page. Does anyone have experience with this? Thanks.

My app:

class Foo < Sinatra::Base
    enable :sessions
    set :public, "public"
    use CasrackTheAuthenticator::Simple, :cas_server => "https://my.cas_server.com"
    use CasrackTheAuthenticator::RequireCAS

    get '/' do
        puts "Hello World"
    end
end

My rackup file:

require 'foo'

use Rack::CommonLogger
use Rack::Lint

run Foo

Initial attempt at getting Rack to understand authentication in its file service (comments and thoughts welcome):

builder = Rack::Builder.new do
    map '/foo/index.html' do
        run Proc.new { |env|
            user = Rack::Request.new(env).session[CasrackTheAuthenticator::USERNAME_PARAM]
            [401, { "Content-Type" => "text/html" }, "CAS Authentication Required"] unless user
            # Serve index.html because we detected user
         }
    end

    map '/foo' do
        run Foo
    end
end

run builder

Casrack-the-Authenticator will put the CAS information into the Rack session. You can pull that out in another piece of Rack middleware or in your Sinatra app.

The following is for a Rails application, but the concept is similar for Sinatra or a Rack middleware:

# in app/controllers/application_controller.rb:
protected

def require_sign_in!
  render :nothing => true, :status => 403 unless signed_in?
end

def signed_in?
  current_user.present?
end

def current_user
  @current_user ||= Person.find_by_username(session[CasrackTheAuthenticator::USERNAME_PARAM])
end