I have a rails application running on a server. The Application has user authentication implemented using Devise. I have files hosted on another server, I want to be able to allow only authenticated (logged in) users within my application to download these files - is this possible? is there a nice Rails solution?
Thanks.
You are looking for a SSO mechanism.
Required a single user manager app that can act as a Provider (OAuth2
?) and different applications (or Clients) that can authenticate
themselves using this same user manager
See : http://codetheory.in/rails-devise-omniauth-sso/
Github : https://github.com/rishabhp/sso-rails-provider
Jeff
Related
I have read through a ton of articles from MS on authentication through Azure AD. There are so many options and nothing I've read seems to solve my issue.
Here's the situation:
I have 3 different web applications (all ASP.NET MVC 5). They are all hosted internally in our network on the same server/IIS and use windows integrated authentication against our internal AD.
Let's call these applications App_A, App_B, and App_C.
App_A is located at appA.mydomain.com within our DNS
App_B is located at appB.mydomain.com within our DNS
App_C is located at appC.mydomain.com within our DNS
The use case is as such:
A user navigates to App_A does some work and is eventually redirected to App_B
The user does some work in App_B and is eventually redirected to App_C
The user does some work in App_C
When the user is on a domain-joined PC, they are never prompted to log in. Windows takes care of that for them through the integrated authentication.
Now, this is what happens when a user wants to do the same work on a non-domain device (such as an iPad) whether on VPN or connected to the internal WiFi:
When the user loads App_A they are prompted to log in and do so with their windows credentials
When they get to App_B, they are prompted again (different sub-domain)
And when they get to App_C, they are prompted again (different sub-domain)
Having to log in multiple times with the same Windows credentials is not the experience we want for our mobile users.
What we would like to have happen is have the mobile user log in one time when they hit App_A and not have to log in again when they hit App_B or App_C. As well, we would still like the users on domain-joined PCs not to have to log in at all as they are already authenticated to their machines.
Just for your information, we are also syncing our AD to Azure AD, so we have that to authenticate against if the solution requires it. I am looking for what I need to do to setup my MVC apps to allow this sort of authentication.
Any help you can provide with this would be GREATLY appreciated.
The scenario you describe should work by getting all apps to use Azure AD as shown in https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet and by ensuring that they all skip the home realm discovery and go straight to your domain, as shown in http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/
I have Rails app 1, I want rails app 2 to authenticate through Rails app 1, I wonder if that is possible ?
I'm using devise on both:
The reason behind this is that I have the main network app, which is app 1, and then the nodes of the network which are the other apps, I want all the nodes to be able to authenticate through the main app.
I'm already establishing authentication on each app using 1 main User-table from the main app, but now I just need to figure out how to share the session.
I have looked at the following questions, but they are doing it inside the same database, not across apps:
Rails sessions current practices
Sharing session across rails apps on different subdomains
I want to do exactly what this fellow exactly wants to do:
Rails authentication strategy for noob
Navigate to rails app -->
redirect unauthenticated users to SSO server -->
login and authenticate via remote SSO server -->
callback/redirect to rails app -->
capture user info passed back from SSO server and load protected resources in rails app
UPDATE:
I think I can use this Rest-Client to authenticate through rails app 1 on rails app 2. No ? Yea ?
Maybe one of this articles will help you:
http://stderr.timfischbach.de/2013/09/14/rails-4-and-sinatra-session-sharing.html
http://robots.thoughtbot.com/how-to-share-a-session-between-sinatra-and-rails
They describe the session sharing between rack based apps (sinatra and rails) but it will also works with two rails apps.
The basic Authentication middleware is the Warden::Manager and you should only have one config.ru for both applications.
Additional hint:
Maybe you could use some other session store than a Database, like memcached, redis, couchbase or anything.
I have a rails application running on nginx + unicorn and I want that users can login in with their Active Directory crendentials. I've already implemented connecting to AD server and authenticating users, but they need to enter passwords.
Is it possible to somehow get this information on this setup? I've found some topics about this problems, but they don't quite explain how to solve this problem and most of the answers are for IIS sever.
I know that it propably can work only in Internet Explorer.
Signing in automatically is handled by the web server, not your application. Since you are using nginx, there are a couple of third party modules you can use, such as spnego-http-auth-nginx-module or nginx-mod-auth-kerb. IIS has support built-in, of course.
Once you've set up the web server, your application can retrieve the user's username from the REMOTE_USER environment variable. Internet Explorer will automatically log in; Firefox and Chrome will do so if they have been configured for the domain by the system administrator, but this is off by default.
I have a windows desktop app (written in Delphi) that allows users to store and retrieve files.
The application stores these files in a single network shared folder (Active Directory).
The various users of the app do not all have permission to see all of the files, these permissions are controlled by the app.
Currently we have to allow every user of the app access to the shared folder, so a malicious user could find the directory and gain access to all of the files.
Is there a way that the app can act as a specific user such that only the "app as a user" and not each individual needs permission to the shared folder?
You need to either:
1) run the app as the desired user.
2) have your code programmably impersonate the desired user, via LogonUser() and ImpersonateLoggedOnUser(), or other similar functions, before then accessing the shared folder. Don't forget to stop impersonating when you are finished using the folder.
Not directly, no. The app has exactly the same rights as its user has. That's part of the OS's security model. If I had to deal with something like this, I'd do it this way:
Create a second program that runs as a Service, and set it to run under a user account that has access to the shared folder. It should implement some sort of validation logic, and listen for incoming messages. (What exact method it uses for this is up to you, but you're essentially creating a server.)
Your desktop app runs under the limited user accounts. To request a file, it sends a message to the server, in which it identifies the user and the request it's making.
The server checks the request, and if it's valid, retrieves the file and passes it back to the user app. If not, it should return some sort of error message.
Not with standard file sharing -- the application is always going to running in the security context of the logged in user.
There's 2 obvious solutions I can see:
Work with the AD security and user accounts you already have in place to modify the rights to the files in the shared folder. This only works if the security in your application can be mapped to AD security objects already. If you need to allow for impersonation (e.g. An administrator "logging into" the app as himself or herself from another user session), then you're going to need to get very comfortable with the various Windows Security APIs.
Write a server-side component that will handle your application's authentication mechanism and provide file listings and content to the client.
It's possible that #2 could be implemented with something like WebDAV, FTP/SFTP/FTPS, or some other "already done" file transfer protocol that you can piggy back off of to save you some work.
I'm using a Ruby gem called Savon to interact with SharePoint 2010's UserProfileService Web Service. I'm getting an error: Attempted to perform an unauthorized operation. I used
client.wsse.credentials "username", "password"
to pass my credentials. Anyone know what permissions are needed to use the UserProfileService web service?
In SP 2007, the username/password you use will need to have the "Manage User Profiles" permission set in the Shared Service Provider (SSP). IN SP 2010, I am not sure what the equivalent is since there is no longer an SSP, but an User Profile Service. I am sure there is something similar.
In Manage service applications in Central Admin, click on the User Profile Service then click Permisions in the ribbon add the user with Full Control permissions