I am pretty new to RoR development and newer to LocomotiveCMS...that said, I am trying to build a relatively simple site with LocomotiveCMS. Ideally, I would like to restrict the entire site from anonymous users, and then extend the roles as read-only, contribute, admin, etc. I see that Locomotive uses devise for authentication for /admin. Is there a way to restrict access to only authenticated users?
The easiest way to do this would be to make every page unpublished. Users would then have to be logged into the CMS to be able to see any of the pages.
This PR adds switch in page settings for restriction of anonymous users.
Related
I am creating a single user CMS application and I want to keep authentication lightweight so I don't need a full blown authentication system.
My admin section will have custom admin pages that I will create to update the db, write content, and I will also maybe even use the admin gem for some things.
I just want to lock down these protected pages.
Any simple yet secure options out there?
You might like this clearance. It is a full-power authentication, yet still very lightweight.
I am trying to get Sitefinity to work with MVC and JQuery Mobile and am having many issues....
The current issue is that I need to have users authenticate to access parts of the application. This authentication needs to be with an external service, the users logging into the front end will not be in the Sitefinity user base. I also need to have users who can log into the back-end to update the content, these users will be managed by Sitefinity.
To secure pages in MVC I add a authorize attribute on the controller. This needs to confirm the users on the front end have been authenticated by the external service, but still allow users logged into the back end to be able to updated content.
This is not working, when I hit the page with the authorize attribute on the front-end it is trying to take me to the sitefinity login. Has anyone found a way to make this work?
Well, I have a way to do it now, but I'm not all that excited with it...
I heard back from Sitefinity support and was given a few different ways to do this.
1) Create my own custom AuthorizeUser attribute, save the values when I authenticate to the session of a cookie, check for that value on the attribute...basically rewrite all the Authenticate functionality myself. - I'd really like to keep the Authenticate functionality as much as possible so I don't think I will do this.
2) Create a Custom Membership Provider, add this to the Sitefinity backend as a valid membership provider. This would be a good solution if I was wanting to store my users in a database and validate/update them. But, I am only validating against a service.
3) Create a dummy user in the Sitefinity backend with no access and definitely no backend access or admin access. After authenticating to my service if all is good then log into this user from the code. After this the [Authenticate] attribute finds that this user is logged in so all is good. As I do not need to check roles or claims in my app, just that user is logged in, this may work. It seems pretty ugly to me but I am assured that as long as the user does not have backend access or admin access it will not count to co-current users and many many users can be logged in as the same user.
I will go forward with option 3 and see how it goes and if I can get it past the architecture team.
here is the link where I found option 3 with some more info...
http://www.sitefinity.com/developer-network/forums/sitefinity-sdk/custom-authentication
James!
Not sure but I think your 3rd party service should use the Sitefintiy Single Sign On.
Maybe the following help topic on how to setup Sitefinity single sign on will be helpful:
http://www.sitefinity.com/documentation/documentationarticles/authentication-models-overview
I'm working on an MVC4 site using SimpleMembership to handle user accounts and role based authentication. We have another site and we'd like to implement a single sign on system allowing users from the existing site to log in to the one I am building. What would be the best way to achieve this and hopefully leverage to the existing roles based authorization I'm using on the MVC4 site. Is it possible to have multiple membership providers (i.e. use the built in one and if the user is not found, attempt to authenticate via a custom provider that I'll write (once I work out how!). Or would it be better to abandon the built in membership/roles and roll my own?
I also thought of letting WebSecurity check the local database and if the user is not found, query the 2nd database and if the users credentials are valid, create a local account for them. One issue with this approach is if a user called Fred registers on the MVC site, and then a user from the other site called Fred logs in, we couldn't create them a local account with the same username. We could prefix/suffix the username with some text to indicate that they are from the other site but then we lose the single sign on feature.
We will also want to integrate AD authentication for staff in the future.
So essentially I'm looking for the best way to authenticate users from multiple databases and keep using roles based authentication?
I've also done a little digging was wondering if ADFS might be useful for this.
Any help or advice would be greatly appreciated!
I recommend the use of an Identity server to handle all your login request and switching to a claim based authentication instead of a role based authentication if you can.
I personally went with Thinktecture IdentityServer
pluralsight.com have a good course on it.
Thinktecture IdentityServer is build on top of simple Membership and it supports multiple protocol such as
WS-Federation
WS-Trust
OpenID Connect
OAuth2
ADFS Integration
Simple HTTP
I recommend checking it
Good Luck
We're building a Rails 3 web application that will need to authorize and authenticate regular users who visit the site. Those same users may also use third-party applications to access the site via our API.
What approaches can we use to effectively and cleanly provide access to clients as well as users? What strategies have you used in your own Rails applications that also have RESTful APIs?
Ideally, we're after a solution which:
plays well with Devise and CanCan (which we already use for authn/authz)
plays well with Mongoid
doesn't pollute our controllers
is relatively simple to install and configure, if it's a gem or plugin
is easily testable, if it's a general strategy; or is already tested, if it's a gem or plugin
Since you're already using Devise, take a look at the token_authenticatable strategy (Add it to your user model and make sure the devise init reflects whatever you call the token param).
You'll want to add: "before_save :ensure_authentication_token" to your user model as well (assuming you don't want it to be single use).
Just provide your user's with their tokens on say their profile page or wherever. Call it an API token if you like.
i have a simple record system in rails, it has customers, appointments and visits as models.
with visits and appointments belonging to customer.
i want a simple authentication plug-in for the owner of the application, to be able to log in and edit and create new data in the system (administrator user) and be able to add new admin users to be able to log in to the system.
a plus would be if the plug-in allowed the admin user to also create customer accounts for customers to be able to go on line check their own customer profile, appointments and visits details.
so basically a authentication plug-in for a super user and a limited user (to view their own profiles).
i don't want anything too fancy to be honest like sending a verification e mail etc.
thanks
Checkout Devise:
http://github.com/plataformatec/devise
There's a couple railscasts on it:
http://railscasts.com/episodes/209-introducing-devise
For role-based auth you can combine Devise with Cacan:
http://railscasts.com/episodes/192-authorization-with-cancan
http://gist.github.com/389299
http://railscasts.com/episodes/210-customizing-devise
I have a plugin for doing simple Role-based Access Control:
http://github.com/heavysixer/rolesystem
If you need simple
Check out: http://code.google.com/p/rolerequirement/
Use that with the restful-authentication plugin
I use it in 2-3 projects and it works great, I even did some hacking to enable ldap authentication too.