I want to set up a private staging server on heroku using simple http authentication. Is that possible?

Absolutely. The simplest solution is to just put something in your application controller that uses Rails's built in basic auth support (see here: http://railscasts.com/episodes/82-http-basic-authentication) and just wrap it in a conditional for your Rails.env. Note that on Heroku, by default the RAILS_ENV is set to production, but you can change this for your non-production apps using heroku config (http://docs.heroku.com/config-vars).

You could also consider installing some roadblock-style Rack middleware, but I'd just go with the above.

A cleaner way is to just drop in a couple lines of Rack middleware into your staging environment config, leaving controller logic alone:

# config/environments/staging.rb
MyApp::Application.configure do
  config.middleware.insert_after(::Rack::Lock, "::Rack::Auth::Basic", "Staging") do |u, p|
    [u, p] == ['username', 'password']
  end

  #... other config
end

This tip courtesy of Ole Morten Amundsen. More info plus Heroku password specification:

http://olemortenamundsen.wordpress.com/2011/04/05/ruby-secure-staging-environment-of-your-public-app-from-users-and-bots/

On Rails4, I got "No such middleware to insert after: Rack::Lock" error. Replace Adam's code to the below:

# config/environments/staging.rb
MyApp::Application.configure do
  config.middleware.use '::Rack::Auth::Basic' do |u, p|
    [u, p] == ['username', 'password']
  end
  # ...
end

See: http://www.intridea.com/blog/2013/6/4/tips-and-tricks-for-deploying-rails-4-apps-on-heroku

There is a nice heroku add-on that uses Mozilla Persona for authentication. It's free for low-volume sites (under 10,000 authentications per month):

https://addons.heroku.com/wwwhisper

Very easy to install and configure.

Another way to do it using the application_controller.rb:

  # app/controllers/application_controller.rb
  before_filter :http_basic_auth

  def http_basic_auth
    if ENV['HTTP_AUTH'] =~ %r{(.+)\:(.+)}
      unless authenticate_with_http_basic { |user, password|  user == $1 && password == $2 }
        request_http_basic_authentication
      end
    end
  end

and then you need to export your values: for development:

 export HTTP_AUTH=test:test

For heroku:

 heroku config:set HTTP_AUTH=test:test

Now when the window prompt you should enter for user/password => test/test.

That's it hope you find it useful.

Updated answer for Rails 5. In your config/application.rb or selected environment config:

config.middleware.use(Rack::Auth::Basic) do |u, p|
  [u, p] == ["user", "password"]
end

Additionally it's been pointed out in Ole's blog post to use ENV vars. I'd add that defaulting to a random password is a good idea in case the env var is not set:

config.middleware.use(Rack::Auth::Basic) do |u, p|
  [u, p] == [ENV['USER'], ENV['PASSWORD'] || SecureRandom.hex]
end