Forum: Ruby on Rails one authentication for multiple rails apps

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Josh K. (Guest)
on 2006-04-27 00:34
i am in the process of taking all of our php applications for the
company i work for and rewriting them in ruby on rails. just to help
with username and password management, i had a program where we could
create a user and then assign what other programs they had access to, so
that they would only have to log in at one place and have access to all
of the software.

i'm not sure of the right approach for moving this over. i don't know if
it would be better to have everything inside one giant ruby on rails
app, or if i can keep it so that everything has it's own individual
program, including an application to manage users and what they have
been given access to.

i would prefer the later just because it seems like it would be easier
to manage because it is more modular, but i'm open to any other
suggestions.

thanks
Bryan D. (Guest)
on 2006-04-27 00:38
Josh K. wrote:
> i am in the process of taking all of our php applications for the
> company i work for and rewriting them in ruby on rails. just to help
> with username and password management, i had a program where we could
> create a user and then assign what other programs they had access to, so
> that they would only have to log in at one place and have access to all
> of the software.
>
> i'm not sure of the right approach for moving this over. i don't know if
> it would be better to have everything inside one giant ruby on rails
> app, or if i can keep it so that everything has it's own individual
> program, including an application to manage users and what they have
> been given access to.
>
> i would prefer the later just because it seems like it would be easier
> to manage because it is more modular, but i'm open to any other
> suggestions.
>
> thanks

I'd put it all together. Just because they're in one "giant" app does
not mean that they're unmanageable. It would really simplify
authentication stuff, too. Instead of keeping auth data in a separate db
or something, it's natively already right where you need it.

The only argument for real separation would be if the different apps are
really and truly not related. Then you could just use LDAP as your
authentication store, and it wouldn't be really hard at all.
Josh K. (Guest)
on 2006-04-27 00:48
> The only argument for real separation would be if the different apps are
> really and truly not related. Then you could just use LDAP as your
> authentication store, and it wouldn't be really hard at all.

yeah, i did some searching on google and found information about LDAP.
where can i get more information on that? most of our users are on mac
too - does it matter what OS they are using when they access the app?

another idea i had was keeping several different rails apps, but having
them all use the same database, just different tables. that way they
would all have access to the users and session information.
Blake L. (Guest)
on 2006-04-27 01:15
Josh,
    I'm a ruby newbie, but I do know something about authentication and
authorization. The biggest thing people need to realize is that they are
two separate problems with two seperate solutions. Use one mechanism to
authenticate your user and a second mechanism to authorize the user for
the specific application.
    Once you know who a user is, you don't have to do that again. You
just need to figure out what to give her access to.
    With AD and LDAP the user can be in multiple groups. You can
retrieve the group membership for a user and make access available based
on group membership. Your management of people/groups can be put off
onto AD or LDAP.
    If your using apache, you can let apache handle authentication. Then
your application can get the username from apache and make decision on
authorization. Apache can do ldap, kerberos, ad and more.
--
Blake C. Lewis
Josh K. (Guest)
on 2006-04-28 19:29
i'm still trying to figure out the best way to do this. all of the apps
i want to use are completely unrelated. i still want to keep everything
separate, so here's what i've thought - please tell me if this idea is
completely ridiculous.

everything would have it's own rails app, and it's own database. each
app would have a standard table for the user information. and in the
user management application, i would have a table for all of the other
apps. in the table, i thought about having a field for the name of the
database that the application is using, so that when you create a user,
it will create it in both applications. the same for user deletions. not
everyone has access to every app, so it would only create a user in the
apps user table when the user is assigned to that application.

then, when that user logs in, he or she will get a list of applications
that they have access to. clicking on each one should then pass the
login information to that app automatically so they can use it.

i hope that makes sense to someone out there. it's kind of confusing
myself, but i really need to come up with a solution for this really
soon.

thanks for your help,
josh
Wilson B. (Guest)
on 2006-04-28 22:36
(Received via mailing list)
On 4/28/06, Josh K. <removed_email_address@domain.invalid> wrote:
> it will create it in both applications. the same for user deletions. not
>
> thanks for your help,
> josh
>

You might want to consider using CAS, which has a Ruby / Rails client
interface:
http://www.ja-sig.org/products/cas/

It's pretty lightweight, as such things go, and is designed for this
type of task.
This topic is locked and can not be replied to.