Forum: Ruby on Rails Too many login generators?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
cap (Guest)
on 2005-12-21 04:50
there is a blog about it

http://www.realityforge.org/articles/2005/11/12/aaa_in_rails

There are so many Authentication/Authorization/Auditing generators now,
just like the situation in java's world, Too many components doing the
samething just make me confusion. Why not add one to rails core lib and
everybody can extend it for their requirement ?
unknown (Guest)
on 2005-12-21 05:05
(Received via mailing list)
Or perhaps the authors of the generators could get together, decide on a
"core" and provide extension points that build off of one code base?

--Ryan
----- Original Message -----
From: "cap" <removed_email_address@domain.invalid>
To: <removed_email_address@domain.invalid>
Sent: Tuesday, December 20, 2005 9:50 PM
Subject: [Rails] Too many login generators?
Sam S. (Guest)
on 2005-12-21 06:59
(Received via mailing list)
On 12/20/05, cap <removed_email_address@domain.invalid> wrote:
> there is a blog about it
>
> http://www.realityforge.org/articles/2005/11/12/aaa_in_rails
>
> There are so many Authentication/Authorization/Auditing generators now,
> just like the situation in java's world, Too many components doing the
> samething just make me confusion. Why not add one to rails core lib and
> everybody can extend it for their requirement ?

AAA is a domain-level problem, not an infrastructure one.  The reason
Rails core doesn't have this kind of framework is the same reason
there are so many third party components for it: there's no single
solution that suits most applications.

--
sam
Justin B. (Guest)
on 2005-12-21 09:26
(Received via mailing list)
Very True... Is there any we can generalize it into a standard
interface,
with multiple backbone implementations?  Having a Core authentication
mechanism is a really awesome (powerful) idea, but hard to generalize.

If we can make it so that they just snap in the right out right out of
box... that is an improvement.

Thanks

Justin
David Heinemeier H. (Guest)
on 2005-12-22 04:21
(Received via mailing list)
> If we can make it so that they just snap in the right out right out of
> box... that is an improvement.

It certainly takes people much smarter than us in the core team. As
I've said many times before, I haven't even been able to abstract
authentication and user schemes within 37signals. So I would step
within a 100 miles of trying to extract something that could work for
"most people, most of the time".

Note: This doesn't preclude that it can be done. Just that the
creators of Rails are not skilled enough to do it.
--
David Heinemeier H.
http://www.loudthinking.com -- Broadcasting Brain
http://www.basecamphq.com   -- Online project management
http://www.backpackit.com   -- Personal information manager
http://www.rubyonrails.com  -- Web-application framework
Ed W. (Guest)
on 2005-12-22 12:41
(Received via mailing list)
David Heinemeier H. wrote:

>
>Note: This doesn't preclude that it can be done. Just that the
>creators of Rails are not skilled enough to do it.
>
>

Have you admired the presentations from MS about ASP 2.0 and all this
kind of stuff?  They have some huge overloaded class model which seems
to provide authentication and "preference" features included as
standard, but you can still wire it to any database model of your
choice.

There *may* be some clues in how they do it in order to abstract
something for inclusion in Rails.  Of course it will never fit everyones
models exactly, but then again Rails has a function called "form" which
generates a basic HTML form from a record and that will rarely suit
everyone's taste either...

I think that having some "approved" auth functions in Rails would be a
useful start - it would get more feedback and might help crystalise the
"correct" model.  Probably the "answer" is something like a role based
model with support for adding auth into the model objects as well as the
controller.  Currently this spans several topics on the wiki and would
ideally be integrated into a single debugged framework

I hope someone runs with this.  As a beginner I really need an Auth
class that I can just plug in.  Of course I expect to drop it and
rewrite it as the app grows, but it would be nice to make my mistakes
quickly and easily from something fairly well debugged and supported on
the Rails mailing list

Ed W
Rick O. (Guest)
on 2005-12-22 15:41
(Received via mailing list)
> I hope someone runs with this.  As a beginner I really need an Auth
> class that I can just plug in.  Of course I expect to drop it and
> rewrite it as the app grows, but it would be nice to make my mistakes
> quickly and easily from something fairly well debugged and supported on
> the Rails mailing list

May I humbly suggest the acts_as_authenticated generator?  It's
written with the assumption that you will generate it once and tweak
it as necessary.  All the code is generated as 'first class citizens'
of your app, not hiding behind some library with a custom
configuration scheme you have to learn.  I hope that it can even serve
as a little tutorial on how authentication should work in Rails.  It's
really just an updated version of xal's login_generator, which taught
me a lot about Rails when I was just starting out.

./script/plugin discover # add the techno-weenie.net repository
./script/plugin install acts_as_authenticated

--
rick
http://techno-weenie.net
Ed W. (Guest)
on 2005-12-22 18:17
(Received via mailing list)
Rick O. wrote:

>it as necessary.  All the code is generated as 'first class citizens'
>of your app, not hiding behind some library with a custom
>configuration scheme you have to learn.  I hope that it can even serve
>as a little tutorial on how authentication should work in Rails.  It's
>really just an updated version of xal's login_generator, which taught
>me a lot about Rails when I was just starting out.
>
>

I agree that it's a very good start.  I have just been browsing the code
and haven't tried it yet.

For me it doesn't help me solve protecting the model (which is covered
in some other ideas and basically boils down to some helper classes).
It also would ideally be built around thinking in terms of roles as well
as users.  This still leaves the issue of row level security unsolved,
but I haven't seen a good generic way to handle that anyway

Why don't you consider merging some of the framework that helps secure
the model into this framework?  There was an interested article about it
on the rails wiki?

Also I can't immediately see why you wouldn't want to make most of this
an engine?  Given that one wants to benefit from improvements in the
helper methods, yet also override large chunks of code to fit the
application at hand then this seems to be a good fit for an "engine"?

Looks really promising, congrats

Ed W
rhubarb (Guest)
on 2006-04-06 00:27
I have the same problem as the original author - I'm looking for a
simple login/auth system and wondering which of the many I should
select.

But let's face it, it's an emabarrasment of riches, not really a
problem.

So far the one I'm liking the best is ActiveRBAC.

https://activerbac.turingstudio.com/trac/wiki

I haven't used it (haven't used any) but I have read it's documentation.
That alone is enough to make it my first choice: it has documentation!
Not just RDOC, but a readable pdf which starts with a tutorial. Good
work ActiveRBAC people.

Has anyone tried this? How does it compare with other such plugins,
engines, generators?

I also saw this attempt, but it seems a bit younger and more general,
though more powerful.

http://www.billkatz.com/authorization

I don't like the fact that the latter invents a DSL that is not written
in ruby (it's parsed by ruby code - but with everything else in rails
100% ruby I think the author could have been a little less fastidious in
their syntax)

Anyway, I'd like to hear what Davd HH has to say about auth schemes he's
seen and those he's worked on:
What are the big differences between the various 37 signals apps' auth
schemes?

What do you think of ActiveRBAC?

I note that it's implemented as a "Rails Engine" and there seems to be
some discussion about that approach.
Michael T. (Guest)
on 2006-04-06 06:22
(Received via mailing list)
I totally agree with DHH on this one.  As someone that has used .NET's
auth scheme, both new and old (EL), you don't have to get into it very
far to find out there there's one thing in there that causes you
problems.  You spend so much time trying to work around this one issue
that in the end you would have had a better implementation and
something much more maintainable by just doing it from scratch.

Somehow I never learn and I experienced exactly this situation on a
recent project.  First the Profiles didn't work the way we needed, and
then their auth scheme wasn't quite enough to satisfy the client, and
then...  These types of things are great, or perceived as great, when
you're just starting out, but in the end it's a "you can't get there
from here" type scenario.

I think the type of thing that Rick O. is doing (act as
authenticated) is a much better starter if you need a kick in the
pants.

Michael
Kevin M. (Guest)
on 2006-04-06 17:58
(Received via mailing list)
On Wed, Apr 05, 2006 at 10:27:23PM +0200, rhubarb wrote:

> I have the same problem as the original author - I'm looking for a simple
> login/auth system and wondering which of the many I should select.

I'm pondering the same thing myself.  I'm new to Rails and I'm working
on
converting my personal web site and a local canine agility group's web
site
from PHP to Rails.  I've been planning to move from PHP to something
better
for quite a while now.  I've looked a numerous options and fortunately
at
some point I came across Rails.  The more I dig into Rails the more
excited
I get about leaving PHP behind.  There are many, many features that I've
put
off adding to my sites while searching for an alternative to PHP.  Now
every
time I turn around it seems I'm finding another Rails feature, plugin,
generator, or engine to help implement features I want to add.

> So far the one I'm liking the best is ActiveRBAC.
>
> https://activerbac.turingstudio.com/trac/wiki
>
> I haven't used it (haven't used any) but I have read it's documentation.
> That alone is enough to make it my first choice: it has documentation!
> Not just RDOC, but a readable pdf which starts with a tutorial. Good work
> ActiveRBAC people.

Your post is the first I heard of ActiveRBAC.  I have to agree with you.
The documentation gets an A in my book.  Being new to Rails the tutorial
section in the manual is a definite plus for me.  And, the name makes me
feel right at home.  I work as an IBM mainframe operator.  IBM loves
acronyms.  The shop I work in uses RACF(Resource Access Control
Facility).

> Has anyone tried this? How does it compare with other such plugins,
> engines, generators?

I would also like to hear from more experienced Rails folks about how
ActiveRBAC compares to other such plugins, engines, and/or generators.
I
certainly don't want to base my choice for something as important as an
authentication system on good documentation alone.



Kevin
http://www.RawFedDogs.net
http://www.WacoAgilityGroup.org
Bruceville, TX
Kevin M. (Guest)
on 2006-04-07 17:53
(Received via mailing list)
Rails Enthusiasts,

On Thu, Apr 06, 2006 at 08:55:27AM -0500, Kevin M. wrote:

> I would also like to hear from more experienced Rails folks about how
> ActiveRBAC compares to other such plugins, engines, and/or generators.  I
> certainly don't want to base my choice for something as important as an
> authentication system on good documentation alone.

Well, I guess I'll have to answer my own post.  As I suspected
ActiveRBAC's
documentation was too good to be true.  I tried following the ActiveRBAC
tutorial on both Rails 1.0.0 and 1.1.0 without success.  After trying
ActiveRBAC I gave acts_as_authenticated a try.  It's documentation is
minimal but unlike ActiveRBAC it works.  Works + minimal documentation
beats
great documentation + doesn't work hands down.  Then, I came across a
few
threads on the advantages of creating one's own custom authentication
system
over using a plugin/engine.  Between the authentication examples in
AWDWR
and going through a little of acts_as_authenticated's code I think I'm
feeling more confident about creating a custom authentication system for
my
web apps.


Kevin
http://www.RawFedDogs.net
http://www.WacoAgilityGroup.org
Bruceville, TX
Jim M. (Guest)
on 2006-04-08 01:29
(Received via mailing list)
I came to exactly the same conclusion.

I'm going to use acts_as_authenticated as a guide to implement login
authentication, and I am going to use the chapter on role based
authentication from the Rails Recipe Book to do my own RBAC. Liberally
borrowing from ideas from the UserEngine, which I like but was too buggy
to rely on.
Corey L. (Guest)
on 2006-04-11 02:05
(Received via mailing list)
Well, unlike others, I got the ActiveRBAC tutorial to work just fine
in Rails 1.0. I had an issue with it when I upgraded to Rails 1.1. The
Login controller was barfing when trying to use the User model. After
a few days, I found a blurb in the ARBAC wiki about putting in a

model :user

line into application.rb for another problem, so I tried that and that
magically fixed it all, at least with the ARBAC demo. I did post a bug
about this, and there is a naming conflict within Active_RBAC that
seems to expose itself in Rails 1.1 (from e-mails from a couple of
ARBAC developers).

Now the next thing to work on is explore with registration (how does
one get it to shoot out e-mails?) and groups.

Does anyone have any UML-ish diagrams of program flow in a typical
Rails application?
How does one model a Mix-in in UML?

-Corey
This topic is locked and can not be replied to.