The topic of tonight’s meeting of the Raleigh Ruby Brigade was Rails Authentication Options, and featured a presentation by Aaron Bedra of Relevance.

Some of the plugins and gems Aaron mentioned were quite familiar to me, such as Restful Authentication and Clearance.  Others, like Authlogic, I hadn’t seen before.

I scribbled some notes during Aaron’s talk and figured someone might find them useful:

###

Rails Authentication Plugins

Restful Authentication

• simple authentication
• a small, single application for user authorization
• the authors of the plugin have done their homework, and seem to have a better overall understanding of how authentication should work
• lots of great documentation surrounding this plugin
• the current release doesn’t really have developer-friendly tests, however

Authlogic

• cleaner code base
• easy to install
• script/plugin install …. run a generator, run the migrations….up and running
• tests tied to Shoulda test framework

Clearance

• new
• clean code, lots of tests

All of the above:

1. are easy to install
2. have decent tests built in
3. are non-transferable
4. are great for single apps that aren’t that big

Single Sign On Authentication Servers

Central Authentication Service

• CAS…originally a java project

Rubycas Server

• bundling apps together on a server
• tests aren’t amazing

Castronaut

• CAS implementation that’s a little more sound and with good tests
• A CAS server should say, “hey, authentication source…is this user cool with us?”
• has adapters for the different authentication systems
• easier to maintain adapters than the code base
• can run multiple authentication sources…against LDAP directory & a database
• can have fallback authentication sources…”try here, if fail, try here”
• to use proprietary auth systems…all you have to do is write the adapter, and you’re done
• to have multiple domain authentication…where there might be an app on one domain and an app on another domain, you have to write another layer of cas, and there’s the issue of domain trust

OAuth

• used by Flickr
• used by the major Google apps
• Facebook supposed to be supporting it
• rails plugin – code.google.com/p/oauth-plugin/
• need ruby oath gem
• twitter’s using the OAth plugin
• using oath returns control, and can revoke keys at any time…unlike cached passwords
• downside => fairly new

Other

Bcrypt

• a crypto-algorithm for generating secure password hashes and the like
• crypto algorithms many times judged on the increase and decrease in CPU resource costs when generating hashes for security
• bcrypt-ruby gem

Lessons

• don’t roll your own authentication framework, leave it to the professionals
• don’t do your own crypto
• if the app is big, really security conscious….split admin concerns
• create a separate admin application…don’t expose www.domain.com/admin to public
• TEST
• if you can…hire somebody to audit your authentication system and try to break into your app, a team of security experts preferably
• don’t just take the plugin, install it, and assume it’s secure
• when in doubt, ask for help from plugin creators, mailing lists, and the like

###

Are there any other systems that you use for rails authentication or single sign-on?  Add your favs in the comments!

…and it needs a nice little visualization, try grabbing yourself a Wordle and populating it with your delicious bookmarks or your rss feed.

Here’s a visualization of my delicious bookmarks:

Apparently I spend a lot of time researching rails, linux, and wordpress. Yup, sounds about right. What a geek!

Forward-thinking Editorial Director Paige Glazer of the local magazine Richmond Hill Reflections recognized the need to develop an online presence for her print publication, and recently chose Shinefire Studios as her web development partner in crime.

Richmond Hill Reflections is currently distributed for free across the town of roughly 10,000 and is supported by local business advertisements.  The bi-monthly magazine showcases the “beauty and many unique characteristics” of the low country in and around Richmond Hill, Georgia.

We’re excited to have Richmond Hill Reflections on the project calendar, and look forward to working with Paige and her team.

Are there any features you’d like to see on their new website?  Let us know in the comments!

[Update]: The Reflections site is now live: http://www.richmondhillreflectionsmag.com/

Chances are, the domain name you’ve thought of for your new app or new business has already been taken.  Heck, I think we went through about 200 names (and therefore domain possibilities) before finally coming to Shinefire Studios and its respective URL.

The following process worked for us, and we suggest you try these steps out the next time you choose a domain:

1. Create a shared Google Spreadsheet for easily logging and collaborating on potential names and URLs
2. Hit up the thesaurus or wikipedia to maximize your business-naming potential
3. Pick out your top 20 favorite names from the spreadsheet
4. Try out each of the top 20 names on the super-quick domain checking site, Ajax Whois

How do you choose your domain names?  Let us know in the comments!

This post is part of an ongoing series about how small businesses can use the latest cloud services to get up and running quickly, and how to be more efficient in their operations afterwards.

Having just decided to “go legit” as a small business, we wanted to make sure that with all of the minutiae of day-to-day operations clouding our minds during these first few months, that we still maintained a strong focus on sales and increasing cashflow.  In particular, managing all the different contacts and businesses we’ve talked to, and deals we’re pursuing.  Also – we didn’t want to have to remember who to call when, or what the status on a deal was.

So the basic requirements were:

• Incredibly easy to use
• Decent feature list
• Inexpensive but scalable
• Email reminders
• Web based

I’d seen Salesforce before, and although the testimonials seemed convincing and I’ve heard nothing but good things, you have to fill out a complete information sheet just to view a demo of their software.  That one’s out.

I’d also heard about SugarCRM…which ended up being quite pricey and a little too robust for the needs of a small business.

Having already been a (kind of obsessive) user of Basecamp, we gave Highrise a look.  We ended up not looking much further.

Here’s where Highrise started out right: “Start a Highrise Account: 30-day free trial, 60-second signup, web-based, nothing to install.”

I’m listening.

Next, they have a one-minute guided video tour to give you an overview.

Not only does it satisfy the aforementioned requirements, but you can actually forward correspondence (emails to/from your clients) to Highrise and it automatically files the conversation under the correct Contact.  Can you say time saver?

We started out with the free account which lets us manage up to 250 contacts, and one “Deal”.  Should be sufficient until things really start moving.

I have to say I’ve been quite pleased with how accountable it’s kept us.  Plus, we have our own custom login page:

Here’s the TechCrunch post on the Highrise launch.

Update: Just discovered this page detailing how Google Apps and Salesforce have mashed up their product line.