Experiences with ModelSecurity

Rails
1

Hiall,

I would be very interested in your opinions on the ModelSecurity
plugin by Bruce P…

http://perens.com/FreeSoftware/ModelSecurity/Tutorial.html

Some time ago, I read on a few pages that it is the way to go, on this
list however, I didn’t read much about it. Apart from it’s security
level,

quoted from comments in source code:

FIX: At the moment we only support Basic authentication. It’s

prone to sniffing. Change to Digest authentication.

I am at the moment struggling with the fact that it stores the
complete User object in the session data. While this is generally a no
good idea, it’s a real problem for me, as I have to deactivate and
reactivate user accounts in my app. I don’t think session expiry
handling will be enough here … I tried changing the code so that it
only stores the user_id and user_name in the session, however I didn’t
get this to work so far …

Any tips? Better authentication libs?

cheers
Martin

2

ModelSecurity hasn’t been updated since November and doesn’t seem to be
actively maintained. Bruce P. is a busy guy.

It has a nice API, but I ended up switching to something under active
development that used migrations for its database table creation.

Martin G. wrote:

Hiall,

I would be very interested in your opinions on the ModelSecurity
plugin by Bruce P…

http://perens.com/FreeSoftware/ModelSecurity/Tutorial.html

Some time ago, I read on a few pages that it is the way to go, on this
list however, I didn’t read much about it. Apart from it’s security
level,

quoted from comments in source code:

FIX: At the moment we only support Basic authentication. It’s

prone to sniffing. Change to Digest authentication.

I am at the moment struggling with the fact that it stores the
complete User object in the session data. While this is generally a no
good idea, it’s a real problem for me, as I have to deactivate and
reactivate user accounts in my app. I don’t think session expiry
handling will be enough here … I tried changing the code so that it
only stores the user_id and user_name in the session, however I didn’t
get this to work so far …

Any tips? Better authentication libs?

cheers
Martin