Being a rails newbie, I started to design our first rails-based webapp. This app should not only be used via browsers, but we also want to provide a (RESTful) api. I love the ''convention over configuration'' paradigm, but am totally clueless on what to do when it comes to user authentication. Is there a THE rails-way of doing this? I found many excellent gems and plugins, such as AAA or thoughtbot''s clearance. However, I keep asking myself, why not just use HTTP (digest) authentication? I may be missing something, but why do big players such as Facebook implement their own (token- and secret-based) scheme? What are you guys using? What is your favorite gem/plugin for user auth?
Here are my favorite two summary discussions along with a pointer to a general security site. For my work the distinction between authentication and authorization (user name and user role) is important. I use a combination of plugins and gems to fill my needs since I feel site security is one area of coding that clearly benefits from a large user base. http://wiki.rubyonrails.org/howtos/authentication-authorization http://www.vaporbase.com/postings/Authorization_in_Rails http://www.rorsecurity.info/ On Sep 15, 6:25 am, phibo <pbolli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Being a rails newbie, I started to design our first rails-based > webapp. This app should not only be used via browsers, but we also > want to provide a (RESTful) api. I love the ''convention over > configuration'' paradigm, but am totally clueless on what to do when it > comes to user authentication. Is there a THE rails-way of doing this? > > I found many excellent gems and plugins, such as AAA or thoughtbot''s > clearance. However, I keep asking myself, why not just use HTTP > (digest) authentication? I may be missing something, but why do big > players such as Facebook implement their own (token- and secret-based) > scheme? > > What are you guys using? What is your favorite gem/plugin for user > auth?
hi rick, thanks for the help, read the sites with great interest! for my project, we won''t need authorization, basic (but strong, i.e., bcrypt strong) authentication will do. do you use either of these tools? - Clearance - restful-authentication - Authlogic I can''t figure out which to use/try first by reading the resp. docs. cheers, phibo On Sep 15, 1:43 pm, Rick <richard.t.ll...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Here are my favorite two summary discussions along with a pointer to a > general security site. For my work the distinction between > authentication and authorization (user name and user role) is > important. I use a combination of plugins and gems to fill my needs > since I feel site security is one area of coding that clearly benefits > from a large user base. > > http://wiki.rubyonrails.org/howtos/authentication-authorizationhttp://www.vaporbase.com/postings/Authorization_in_Railshttp://www.rorsecurity.info/ > > On Sep 15, 6:25 am, phibo <pbolli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > Being a rails newbie, I started to design our first rails-based > > webapp. This app should not only be used via browsers, but we also > > want to provide a (RESTful) api. I love the ''convention over > > configuration'' paradigm, but am totally clueless on what to do when it > > comes to user authentication. Is there a THE rails-way of doing this? > > > I found many excellent gems and plugins, such as AAA or thoughtbot''s > > clearance. However, I keep asking myself, why not just use HTTP > > (digest) authentication? I may be missing something, but why do big > > players such as Facebook implement their own (token- and secret-based) > > scheme? > > > What are you guys using? What is your favorite gem/plugin for user > > auth?
phibo wrote:> hi rick, > > thanks for the help, read the sites with great interest! for my > project, we won''t need authorization, basic (but strong, i.e., bcrypt > strong) authentication will do. do you use either of these tools? > > - Clearance > - restful-authentication > - Authlogic > > I can''t figure out which to use/try first by reading the resp. docs.I haven''t used Clearance, but based on my experience with the other two, I''d recommend Authlogic.> > cheers, > phiboBest, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.
+1 for Authlogic (and if you want roles too try acl9)
Hongli Lai wrote a nice article about bcrypt, which might be helpful to you.
heimdull wrote:> +1 for Authlogic (and if you want roles too try acl9)I''ve been using rails_authorization for roles. I seem to recall that acl9 didn''t seem like much last time I looked at it, but I''ve been hearing enough about it that I may have to take another look. Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.