Forum: Ruby on Rails web service authentication

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Josh K. (Guest)
on 2006-05-05 00:52
after almost a week of trial and error, i've finally got a hold of
creating a web service in rails. after all this time though, i'm still
not quite sure if i can make it work the way i want it to.

i was basically trying to create a login portal so that the users at our
company can have one place to login for all of our internal
applications. well, right now - i can have each of the apps pull the
user information from the user portal, but i don't know how to go the
other way around. basically i need to pass the user information to each
one of the apps, and forward the user to the location at the same time.
any ideas or help will be greatly appreciated.
Al E. (Guest)
on 2006-05-05 03:21
Josh K. wrote:
> after almost a week of trial and error, i've finally got a hold of
> creating a web service in rails. after all this time though, i'm still
> not quite sure if i can make it work the way i want it to.
>
> i was basically trying to create a login portal so that the users at our
> company can have one place to login for all of our internal
> applications. well, right now - i can have each of the apps pull the
> user information from the user portal, but i don't know how to go the
> other way around. basically i need to pass the user information to each
> one of the apps, and forward the user to the location at the same time.
> any ideas or help will be greatly appreciated.

You might want to have a look at http://openid.net . The OpenID system
sounds real close to what your want. In particular, you might be able to
modify the OpenID client and server code to get what you need.

Oh, and check out http://openprofile.net for my own extensions to the
OpenID protocol.

--Al Evans
Rodrigo D. (Guest)
on 2006-05-05 03:59
(Received via mailing list)
Yeah, I'm doing the same for my company.

This is my situation, there are three sectors in the company with web
applications:

WA = Web Application

Systems sector
  WA1
  WA2
  WA3
Development sector
  WA4
  WA5
  WA6
Portal sector (my sector)
  WA7

Basically, if you wanted to log in into WA1, you have to put a
user/password, and then, if you wanted to log into WA2, or WA4, or
whatever, you need to put another user/password.
My solution is to create a unified login service.
I'm creating a login application in rails, I have information about
every web application (the web name, the IP address, and encryption
keys).
¿Why encryption keys? Because in my company, everyone is crazy about
security (although you can hack anything at anytime), if you want to do
something, you have to promise that your solution is the most secure in
the world.
So I use RSA encryption, for every WA I have two pairs of public/private
keys, so in WA1 I encrypt the message with public key 1 and send it to
the login service, and in the login service I decipher with the private
key 1, and then, in the login service I encrypt again with the public
key 2 and then I decipher the message with private key 2.
I also have an IP filter, at first by iptables, and then in the web
services, in my login service I only accept connections for the IPs
where the WA are.
And now, the real thing, how do I ensure that if you log into WA1 with a
user/password, this one works with WA2?
Well, I just add a kind of backdoor into every web application... this
is an example:

* I go to WA1 in my explorer.
* I go to the login page
* I put my user/password, WA1 encrypt the data and send it to the login

  service, ask if the user is valid, the login services says to the WA1
  "every ok, it's the client number 7" so I let the user pass.
  In the WA1, I show the user links to go into WA2, WA3, and WA5.
* The user clicks in WA3 link.
* Whe the user licked in WA3, he invoked the action redirect_to_WA(3),
so I redirect the user to WA3, with his user and password encrypted, WA3
automatically checks the user/password in the login service, every it's
ok so the user is logged in with just one click.

My problem is in the last step, by now, I have to redirect the user with
a GET action, but actually, I'll have to redirect him with a POST
action, because the GET can be hold into the navigation memory, and I
don't want that the user store the user/password in his navigation's
memory, so, I'm working in the last step right now, trying to get the
user logged in into WA3 by an automatic post and not by an GET action.


Rodrigo D.
 
Iplan Networks                Datos Personales
removed_email_address@domain.invalid       removed_email_address@domain.invalid
www.iplan.com.ar              www.rorra.com.ar
5031-6303                     15-5695-6027


-----Mensaje original-----
De: removed_email_address@domain.invalid
[mailto:removed_email_address@domain.invalid] En nombre de Al Evans
Enviado el: Jueves, 04 de Mayo de 2006 08:22 p.m.
Para: removed_email_address@domain.invalid
Asunto: [Rails] Re: web service authentication

Josh K. wrote:
> after almost a week of trial and error, i've finally got a hold of
> creating a web service in rails. after all this time though, i'm still

> not quite sure if i can make it work the way i want it to.
>
> i was basically trying to create a login portal so that the users at
our
> company can have one place to login for all of our internal
> applications. well, right now - i can have each of the apps pull the
> user information from the user portal, but i don't know how to go the
> other way around. basically i need to pass the user information to
each
> one of the apps, and forward the user to the location at the same
time.
> any ideas or help will be greatly appreciated.

You might want to have a look at http://openid.net . The OpenID system
sounds real close to what your want. In particular, you might be able to

modify the OpenID client and server code to get what you need.

Oh, and check out http://openprofile.net for my own extensions to the
OpenID protocol.

--Al Evans

--
Posted via http://www.ruby-forum.com/.
_______________________________________________
Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails
Nick F. (Guest)
on 2006-05-05 04:11
(Received via mailing list)
If you're going to so much trouble you might as well meet the needs of
an SSO
spec.!

You could check out Shibboleth - http://shibboleth.internet2.edu/ .

Nick
Josh K. (Guest)
on 2006-05-05 15:27
Rodrigo D. wrote:

> My problem is in the last step, by now, I have to redirect the user with
> a GET action, but actually, I'll have to redirect him with a POST
> action, because the GET can be hold into the navigation memory, and I
> don't want that the user store the user/password in his navigation's
> memory, so, I'm working in the last step right now, trying to get the
> user logged in into WA3 by an automatic post and not by an GET action.

Rodrigo, I had actually thought this through and was leaning towards an
almost identical solution. that last little bit is the part that i
wasn't  sure how to do. i have been reading about setting up drb so the
sessions can be shared, and then just storing the user_id in a shared
session over the netword. then all the apps can use that to pull the
users specific information for that app through web services. i'm not
sure if that's the way things work though.

i may just pass it through a get request for now until i find something
better. if i think of something, i can let you know. i'd appreciate it
if you could do the same. thanks for your help.
Brian H. (Guest)
on 2006-05-05 22:10
(Received via mailing list)
Central Authentication Service is what we're using here.... It is a Java
application but there are ways to use the service from just about
anything
and it is just so easy to use it in Rails.  It's kinda tricky to set up
but
only because we're using a Microsoft Active Directory for our users.

http://www.ja-sig.org/products/cas/
This topic is locked and can not be replied to.