Rails: Authorization with Authlogic - ruby-on-rails

I need a very granular authorization system that works seamlessly with Authlogic.
I've tried these gems/plugins so far:
Lockdown
rails_authorization_plugin
ACL9
I've also looked at, but not tried implementing:
Padlock
I've searched around for a good tutorial detailing how to set up any of these with Authlogic in a way that makes sense (only the Lockdown doc seems to outline how to set this up with Authlogic), but have come up with next to nothing. The only one of these that made the remotest sense to me was the documentation for Lockdown, but I don't think that package will work for me (from what I understand of it).
What I'd really love is a good tutorial specifically about setting one of these authorization solutions up with Authlogic, or else a simple example application where I can see how the code comes together and works. Can anyone point me to any good step-by-step (and why) resources, or else provide a simple application with one of these authorization solutions set up on top of Authlogic?

Yay! As of Nov. 16, 2009, Ryan Bates has finally answered my call with a Railscast devoted to this subject!
#188 - Declarative Authorization (with Authlogic)
Thanks, Mr. Bates!

I think you have a typo in your first sentence. You must mean "authorization that works seamlessly with Authlogic." AuthLogic already is an authentication solution.
I think you might be struggling to find a tutorial that's specific to AuthLogic because there's no reason authorization and authentication need to be tightly coupled to one another.
Authentication answers the question: "Who is the person accessing this page?"
Authorization answers the question: "What permissions does the person accessing this page have?
So the only thing your authorization needs from Authlogic is the current_user() method from your controller. For example, take the tutorial for Acl9 (http://github.com/be9/acl9/tree/master). I believe all you'll need to customize is the :subject_method part (Acl9 calls your active user the 'subject', so :subject_method needs to be set to the name of the method that returns the current user, which is :current_user if you followed the basic AuthLogic docs).

Related

When to use Devise vs. Creating my own Authentication

As stated in the title, when should devise be used and when should I, instead, implement my own authentication. In essence, I'm wondering whether the created authentications in some tutorials (such as this one) are secure and safe.
If I don't need email confirmation, recoverability, etc. (a lot of the "jazz" associated with Devise), would the account information be just as secure as if I created my own?
If you still may be confused by what answer I'm looking for – is Devise something you should use whenever possible/whenever you have accounts? Or should it really be a decision?
Note: I'm not specifically referring to Devise, any authentication gems may be replaced.
implement my own authentication
Anytime you start thinking whether you should create your own authentication, you need to stop. Take that idea, shred it, douse it with gasoline, and burn it!
Authentication is hard. There are subtleties that exist in authentication and developers that are used to CRUD style programming are going to miss them. This isn't meant to be an insult. I am one of those programmers, and I work in security. Recognize your strengths and weaknesses.
Devise (and most popular authentication frameworks) have had thousands of hours of code review, design, testing, and time in production versus the framework that you're going to roll yourself.
I wrote a blog post about a "smart" security feature that actually made a company's security worse. This is a good example of how subtle authentication and security can be!
I used to use gems like Devise until Rails added the has_secure_password to ActiveRecord. Now I always roll my own since in the end I always need some custom stuff that makes it hard to implement in an existing library.
Ryan Bates have an excellent video on just this topic here.
In my opinion you should decide it according to your project. If you are working on small web-service with minimalistic functionality you can add your own auth using instruments provided by Rails. But if you are working on so-called "enterprise", big project with fast-growing functionality you should definitely use devise, since with this gem, you will not spend time on building existing auth features, it is very easy in maintenance and secure.

Rails OpenId (more or less) form scratch

I'm looking for a nice, customisable way to authenticate users via OpenID. I'm using sorcery and so far it works like a charm: it has support for email-based login and OAuth-based login. However, it has no support for OpenID, and I wouldn't like to use existing authentication gems like Omniauth and the likes. I also find Ryan Bates' tutorial a bit outdated. Note that I also did some search on this topic on SO. All rants date to 2009, and I fear that implementation may not work (I also want to avoid another trial-and-error spike testing).
Any suggestions?
I've been working on GlitterGallery. I remember struggling with old docs and had blogged about the route I took to make OpenID login work. You might be interested to look it up here. I'm not sure if there's anything better available now, but I'll be coming back and I'll update the post accordingly; cheers!

Authentication in Rails, where to start?

Im learning Rails by building apps.
I want to make my first authenticated app: users signup, login, do some changes in models they have access to and logout.
I did the Google search but it is quite confusing: many plugins, many tutorials. Don't know where to start.
Is there a state-of-the-art authentication method for Rails? What do you use in Production to authenticate your users?
Any help in this will be helpful. Thanks
I've used authlogic in the past and have been quite happy with it. Ryan has a railscast (video tutorial) for authlogic here.
+1 to Jason, -1 to NSD and sparky. Authentication system is not the thing you want to build yourself, at least if you're aiming for production use. It's like inventing your own encryption algorithm - it's a lot more safe to use something extensively tested and well-developed.
I've also been using authlogic, but there are some alternatives over there - like the good old restful authentication, and devise, which I guess is more modern so to speak. BTW the two latest railscasts are devoted to devise.
If your application is simple and just want a simple and secure user login page you might want to look into the Restful Authentication plugin. Its very easy to use and if you don't have much authentication requirements this should do fine.
script/plugin install git://github.com/technoweenie/restful-authentication.git
script/generate authenticated user sessions
rake db:migrate
You can find out more by checking out this excellent railscast.
As A beginner I would recommend Restful Authentication as its simple to set up and will get you up and running with no time
following is a step by step guid
http://avnetlabs.com/rails/restful-authentication-with-rails-2
and authlogic - (http://github.com/binarylogic/authlogic) is another great plug in which is more flexible but requires some work to implement user registration and stuff
cheers,
sameera
One man's state-of-the-art authentication system is another man's worthless pile of garbage. You're almost always better off rolling your own in the long run. O'Reilly's Ruby Cookbook has some extremely basic examples that will set you off in the right general direction, then you can decide whether or not other people's solutions are right for you.
I would agree with NSD. Figuring out the plugins & how they should mesh with your application to me longer than creating an auth system in my latest application.
My tips - create a user_sessions controller and use normal CRUD methods to handle creating/destroying (ie logging in & out). Create another model for the user - it can handle create accounts & updating (ie changing passwords). Stick a :before_filter on each controller which needs protection.

Rails Authentication

Hey, i need some help with rails, again! Last it was about Authlogic.. Well I'm gone a bit backward since.. I mean, Authlogic isn't a Authentcate system i like.. So now i wan't you guys to tell me what you think is the best!
I going to use it to a project of mine. Where there has to be a few roles like Admin, User and Guest.. So might you guys can tell me what is good and what is bad..?
You need to split authentication from authorization.
Authentication covers the login/logout process. Authorization is directly linked to permission to see/use resources.
Authlogic is a very good authentication gem.
For authorization you can check CanCan from Ryan Bates, which is very simple to integrate with authlogic (just a single file in the models folder called ability.rb in which you configure all the app authorizations).
EDIT: You can also go with a simpler solution but you will lose flexibility
I used Devise and it worked quite well, however it did not met my needs...
What you might need however looks like something super simple, something like this: http://railscasts.com/episodes/21-super-simple-authentication
I use Authlogic for authentication and DocSavage's Rails Authorisation plug-in for authorisation needs. Its a simple yet powerful plug-in.
Rails authorisation plug-in: http://github.com/DocSavage/rails-authorization-plugin

(Ruby,Rails) Role-based authentication and user management...?

I'm looking for a quality Administrative plugin for Rails. It seems that most of the existing plugins/gems (e.g. "restful_authentication", "acts_as_authenticated") revolve around self-signup, etc. However, I'm looking for a full-featured Administrative/Management role-based type of solution -- but not one that's simply tacked on to another non-role-based solution.
If I can't find one, I suppose I'll roll my own...just wasn't looking to re-invent the wheel.
Ryan Bates has recently made two railscasts on authorization (note the difference between authentication and authorization; authentication checks if a user is who she says she is, authorization checks if the user has access to a resource). Episode #188 is on declarative_authorization, which is a really powerful authorization plugin. Episode #192 (sorry, I don't have enough reputation to link to it) is about Ryan Bates' own CanCan plugin, which is a much simpler plugin, but it would still work for most apps.
There are a few out there. I have used:
http://github.com/DocSavage/rails-authorization-plugin/ for applications before in conjunction with restufl_authentication, but I believe it will work with any authentication that gives you a current_user method. On github there is also http://github.com/mdarby/restful_acl/ and http://github.com/danryan/role_model/, they are just role based stuff though I'd say not authentication as well.
The authentication and the access control role based stuff are all available as seperate plugins/gems to the best of my knowledge, and that's a good thing as they are different beasts. Not all apps that have authentication need to have ACL type stuff and even some that do only need a really simple am I an admin kind of thing rather than a full blown user roles thing. So I'd say if you want one that does it all you'll have to write, if you don't want to do that than I'd say a combination of either Authlogic or restful_authentication with on of the authorization plugins will do the trick quite nicely.
You might check out the links in "Which Rails plug in is best for role based permission?".
None of the solutions listed there seem very appealing to me. The top contender, role_requirement apparently requires restful_authentication, but I find AuthLogic much better designed and less intrusive. The others listed seem to not be very actively maintained.

Resources