Authentication Questions

aerospike · September 22, 2006, 2:25pm

Hi All… Apologies in advance if this isn’t the right group (but I
couldn’t find a rails specific one) anyway -

I think I am having a problem passing data around in my MVC.

I have a view that looks has this in the middle:


<%= form_tag :controller => "login", :action =>
"login" %>

DOMAIN\Username:
<%= text_field(:login, :username)
%>


Password:
<%= password_field(:login, :password)
%>





<%= end_form_tag %>

and here is my login_controller.rb


class LoginController < ApplicationController
before_filter :authorize, :except => [:login, :logout]
def login

if request.get?

session[:username] = nil

else

#get the username and password from the array

username = params[:login][:username]

password = params[:login][:password]

# Split username on domain and alias

split_username = params[:user][:name].split(’\’,2)

if split_username.length != 2

flash[:notice] = “You did not enter a properly formatted domain

and username”

redirect_to :action => ‘login’

else

# Authenticate username and password

domain = split_username[0]

username = split_username[1]

password = params[:user][:password]

if authenticate domain, username, password

# User has been authenticated

session[:username] = username

else

flash[:notice] = “Incorrect username or password”

redirect_to :action => ‘login’

end

end

end

end
def logout

session[:username] = nil

end
require ‘dl/win32’

LOGON32_LOGON_NETWORK = 3

LOGON32_PROVIDER_DEFAULT = 0

BOOL_SUCCESS = 1

AdvApi32 = DL.dlopen(“advapi32”)

Kernel32 = DL.dlopen(“kernel32”)
def authorize

redirect_to( :controller => ‘login’, :action => ‘login’ ) unless

logged_in?

end
def logged_in?

session[:username] != nil

end
def authenticate(domain, username, password)

# Load the DLL functions

logon_user = AdvApi32[‘LogonUser’, ‘ISSSIIp’]

close_handle = Kernel32[‘CloseHandle’, ‘IL’]
# Normalize username and domain
username = username.strip.downcase
domain = domain.strip.downcase

# Authenticate user
ptoken = "\0" * 4
r,rs = logon_user.call(username, domain, password,

LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ptoken)

success = (r == BOOL_SUCCESS)
# Close impersonation token
token = ptoken.unpack('L')[0]
close_handle.call(token)

session[:username] = username
return success

end

end

At the top of my application.rb I have:


class ApplicationController < ActionController::Base
protected
def authorize
#changed from cookie to session
unless session[:username]
@session[:return_to] = @request.request_uri
redirect_to :controller => "login"
return false
end
end
end

So the filtering works fine, when I try to access a protected page, it
goes to my login.rhtml.

but when I login, It craps out on me with this:


NoMethodError in LoginController#login
You have a nil object when you didn’t expect it!

You might have expected an instance of Array.

The error occured while evaluating nil.[]
RAILS_ROOT: ./script/…/config/…

Application Trace | Framework Trace | Full Trace
#{RAILS_ROOT}/app/controllers/login_controller.rb:12:in `login’
c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/base.rb:941:in

perform_action_without_filters' c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/filters.rb:368:inperform_action_without_benchmark’

c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/benchmarking.rb:69:in

perform_action_without_rescue' c:/ruby/lib/ruby/1.8/benchmark.rb:293:inmeasure’

c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/benchmarking.rb:69:in

perform_action_without_rescue' c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/rescue.rb:82:inperform_action’

c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/base.rb:408:in

process_without_filters' c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/filters.rb:377:inprocess_without_session_management_support’

c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/session_management.rb:117:in

process' c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/dispatcher.rb:38:indispatch’

c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/webrick_server.rb:115:in

handle_dispatch' c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/webrick_server.rb:81:inservice’

c:/ruby/lib/ruby/1.8/webrick/httpserver.rb:104:in service' c:/ruby/lib/ruby/1.8/webrick/httpserver.rb:65:inrun’

c:/ruby/lib/ruby/1.8/webrick/server.rb:173:in start_thread' c:/ruby/lib/ruby/1.8/webrick/server.rb:162:instart_thread’

c:/ruby/lib/ruby/1.8/webrick/server.rb:95:in start' c:/ruby/lib/ruby/1.8/webrick/server.rb:92:instart’

c:/ruby/lib/ruby/1.8/webrick/server.rb:23:in start' c:/ruby/lib/ruby/1.8/webrick/server.rb:82:instart’

c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/webrick_server.rb:67:in

dispatch' c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/commands/servers/webrick.rb:59 c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:inrequire’

c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/dependencies.rb:147:in

require' c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/commands/server.rb:30 c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:inrequire’

c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/dependencies.rb:147:in

`require’

script/server:3
#{RAILS_ROOT}/app/controllers/login_controller.rb:12:in login' c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/base.rb:941:inperform_action_without_filters’

c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/filters.rb:368:in

perform_action_without_benchmark' c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/benchmarking.rb:69:inperform_action_without_rescue’

c:/ruby/lib/ruby/1.8/benchmark.rb:293:in measure' c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/benchmarking.rb:69:inperform_action_without_rescue’

c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/rescue.rb:82:in

perform_action' c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/base.rb:408:inprocess_without_filters’

c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/filters.rb:377:in

process_without_session_management_support' c:/ruby/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/session_management.rb:117:inprocess’

c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/dispatcher.rb:38:in

dispatch' c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/webrick_server.rb:115:inhandle_dispatch’

c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/webrick_server.rb:81:in

service' c:/ruby/lib/ruby/1.8/webrick/httpserver.rb:104:inservice’

c:/ruby/lib/ruby/1.8/webrick/httpserver.rb:65:in run' c:/ruby/lib/ruby/1.8/webrick/server.rb:173:instart_thread’

c:/ruby/lib/ruby/1.8/webrick/server.rb:162:in start_thread' c:/ruby/lib/ruby/1.8/webrick/server.rb:95:instart’

c:/ruby/lib/ruby/1.8/webrick/server.rb:92:in start' c:/ruby/lib/ruby/1.8/webrick/server.rb:23:instart’

c:/ruby/lib/ruby/1.8/webrick/server.rb:82:in start' c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/webrick_server.rb:67:indispatch’

c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/commands/servers/webrick.rb:59

c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in

require' c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/dependencies.rb:147:inrequire’

c:/ruby/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/commands/server.rb:30

c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in

require' c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/dependencies.rb:147:inrequire’

script/server:3
Request
Parameters: {“login”=>{“username”=>“test”, “password”=>“test”}}
Show session dump

:username:

secret_page:

:page: “2”

:sort: created_on

:sort_direction: asc

flash: !map:ActionController::Flash::FlashHash {}
:return_to: /secret_page
Response

Headers: {“cookie”=>[], “Cache-Control”=>“no-cache”}

I swear I think everything is correct, but it isn’t working. I don’t
have any rails guru’s around, so I thought that I’d risk getting
roasted and post it here.

aerospike · September 22, 2006, 3:54pm

aerospike wrote:

Hi All… Apologies in advance if this isn’t the right group (but I
couldn’t find a rails specific one) anyway -
This is a rails specific list/group

[snip]

      #get the username and password from the array
      username = params[:login][:username]
      password = params[:login][:password]
       # Split username on domain and alias
        split_username = params[:user][:name].split('\\',2)

[snip]

Parameters: {“login”=>{“username”=>“test”, “password”=>“test”}}

params[:user] is nil, so trying to access paramsp[:user]{:name] is
causing your error (I’m guessing you meant to type split_username =
username.split(’\’,2)

Fred

aerospike · September 22, 2006, 4:09pm

I don’t even know where to begin with this one… Make sure your form
fields match what you’re trying to read in. I see you using this in your
params list:

Read your error message and it basically tells you what you did wrong:

NoMethodError in LoginController#login

You have a nil object when you didn’t expect it!
You might have expected an instance of Array.
The error occured while evaluating nil.[]

RAILS_ROOT: ./script/…/config/…
Application Trace | Framework Trace | Full Trace

#{RAILS_ROOT}/app/controllers/login_controller.rb:12:in `login’

Line 12 is

split_username = params[:user][:name].split(’\’,2)

Look at your parameters coming in:

Parameters: {“login”=>{“username”=>“test”, “password”=>“test”}}

So you have params[:login] and params[:password]

But you’re splitting the domain like this:

     split_username = params[:user][:name].split('\\',2)

I think you want

split_username = params[:login].split("\")

params[:user][:name] doesn’t exist… so it’s nil

Hope that helps.

aerospike · September 22, 2006, 4:49pm

I’m writing my first production rails app. It needs to use
authentication, and I’m wondering if my code is good/secure?
If anyone would like to tell me what they think, it’d be great.

Thanks,
jason

[code]

class ApplicationController < ActionController::Base
before_filter :authorize

def authorize
if @session[:user_id].nil?
flash[:notice] = “Please log in to continue”
redirect_to :controller => “account”, :action => “login”
else
@logged_in_user = User.find(@session[:user_id])
end
end

end

class AccountController < ApplicationController
skip_before_filter :authorize

def login
if @request.post?
if possible_user = User.authenticate(@params[:login][:username],
@params[:login][:password])
@session[:user_id] = possible_user.id
@session[:location] = possible_user.role.location_id
@session[:role_id] = possible_user.role.id
redirect_to(:controller => “application”, :action => “index”)
else
flash[:notice] = “Invalid username and/or password”
logger.info("INVALID LOGIN ATTEMPT – Username: " +
@params[:login][:username])
end
end
end

def logout
reset_session
redirect_to(:controller => “account”, :action => “login”)
end

end

class User < ActiveRecord::Base

has_one :role

def self.authenticate(username, password)
this_user = find_by_username_and_password(username,
encrypt(password), :include => ‘role’)
if this_user.nil? || this_user.role.nil?
#Put log entry here, IF you can even do it in the
model. Or do it in the controller
nil #Return Nil if no role is found for the user, or
no user found for credentials
else
this_user #Return the user object for users with roles
end
end

def self.encrypt(password)
[ password encryption code here… ]
end
end

aerospike · September 24, 2006, 1:04am

instead of these 2 lines in your login_controller.rb
username = params[:login][:username]
password = params[:login][:password]

use this instead:

      username = session[:login][:username]
      password = session[:login][:password]

try it and let me know how it works.

B