Blog

17

FEB

Rails authentication plugins and single sign-on

Posted by: Shay  /  Tags: ,  /  Comments: 2

securityThe topic of tonight’s meeting of the Raleigh Ruby Brigade was Rails Authentication Options, and featured a presentation by Aaron Bedra of Relevance.

Some of the plugins and gems Aaron mentioned were quite familiar to me, such as Restful Authentication and Clearance.  Others, like Authlogic, I hadn’t seen before.

I scribbled some notes during Aaron’s talk and figured someone might find them useful:

###

Rails Authentication Plugins

Restful Authentication

  • simple authentication
  • a small, single application for user authorization
  • the authors of the plugin have done their homework, and seem to have a better overall understanding of how authentication should work
  • lots of great documentation surrounding this plugin
  • the current release doesn’t really have developer-friendly tests, however

Authlogic

  • cleaner code base
  • easy to install
  • script/plugin install …. run a generator, run the migrations….up and running
  • tests tied to Shoulda test framework

Clearance

  • new
  • clean code, lots of tests

All of the above:

  1. are easy to install
  2. have decent tests built in
  3. are non-transferable
  4. are great for single apps that aren’t that big

Single Sign On Authentication Servers

Central Authentication Service

  • CAS…originally a java project

Rubycas Server

  • bundling apps together on a server
  • tests aren’t amazing

Castronaut

  • CAS implementation that’s a little more sound and with good tests
  • A CAS server should say, “hey, authentication source…is this user cool with us?”
  • has adapters for the different authentication systems
  • easier to maintain adapters than the code base
  • can run multiple authentication sources…against LDAP directory & a database
  • can have fallback authentication sources…”try here, if fail, try here”
  • to use proprietary auth systems…all you have to do is write the adapter, and you’re done
  • to have multiple domain authentication…where there might be an app on one domain and an app on another domain, you have to write another layer of cas, and there’s the issue of domain trust

OAuth

  • used by Flickr
  • used by the major Google apps
  • Facebook supposed to be supporting it
  • rails plugin – code.google.com/p/oauth-plugin/
  • need ruby oath gem
  • twitter’s using the OAth plugin
  • using oath returns control, and can revoke keys at any time…unlike cached passwords
  • downside => fairly new

Other

Bcrypt

  • a crypto-algorithm for generating secure password hashes and the like
  • crypto algorithms many times judged on the increase and decrease in CPU resource costs when generating hashes for security
  • bcrypt-ruby gem

Lessons

  • don’t roll your own authentication framework, leave it to the professionals
  • don’t do your own crypto
  • if the app is big, really security conscious….split admin concerns
  • create a separate admin application…don’t expose www.domain.com/admin to public
  • TEST
  • if you can…hire somebody to audit your authentication system and try to break into your app, a team of security experts preferably
  • don’t just take the plugin, install it, and assume it’s secure
  • when in doubt, ask for help from plugin creators, mailing lists, and the like

###

Are there any other systems that you use for rails authentication or single sign-on?  Add your favs in the comments!

2 Comments

Settor71

October 22, 2009

arrow

NPR itself has long been accused of having a liberal bias, though the network states that it reflects a diversity of views. ,

Settor44

October 23, 2009

arrow

What is contained in an ATA carnet document? ,

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment