One authentication for multiple rails apps


#1

i am in the process of taking all of our php applications for the
company i work for and rewriting them in ruby on rails. just to help
with username and password management, i had a program where we could
create a user and then assign what other programs they had access to, so
that they would only have to log in at one place and have access to all
of the software.

i’m not sure of the right approach for moving this over. i don’t know if
it would be better to have everything inside one giant ruby on rails
app, or if i can keep it so that everything has it’s own individual
program, including an application to manage users and what they have
been given access to.

i would prefer the later just because it seems like it would be easier
to manage because it is more modular, but i’m open to any other
suggestions.

thanks


#2

Josh K. wrote:

i am in the process of taking all of our php applications for the
company i work for and rewriting them in ruby on rails. just to help
with username and password management, i had a program where we could
create a user and then assign what other programs they had access to, so
that they would only have to log in at one place and have access to all
of the software.

i’m not sure of the right approach for moving this over. i don’t know if
it would be better to have everything inside one giant ruby on rails
app, or if i can keep it so that everything has it’s own individual
program, including an application to manage users and what they have
been given access to.

i would prefer the later just because it seems like it would be easier
to manage because it is more modular, but i’m open to any other
suggestions.

thanks

I’d put it all together. Just because they’re in one “giant” app does
not mean that they’re unmanageable. It would really simplify
authentication stuff, too. Instead of keeping auth data in a separate db
or something, it’s natively already right where you need it.

The only argument for real separation would be if the different apps are
really and truly not related. Then you could just use LDAP as your
authentication store, and it wouldn’t be really hard at all.


#3

The only argument for real separation would be if the different apps are
really and truly not related. Then you could just use LDAP as your
authentication store, and it wouldn’t be really hard at all.

yeah, i did some searching on google and found information about LDAP.
where can i get more information on that? most of our users are on mac
too - does it matter what OS they are using when they access the app?

another idea i had was keeping several different rails apps, but having
them all use the same database, just different tables. that way they
would all have access to the users and session information.


#4

Josh,
I’m a ruby newbie, but I do know something about authentication and
authorization. The biggest thing people need to realize is that they are
two separate problems with two seperate solutions. Use one mechanism to
authenticate your user and a second mechanism to authorize the user for
the specific application.
Once you know who a user is, you don’t have to do that again. You
just need to figure out what to give her access to.
With AD and LDAP the user can be in multiple groups. You can
retrieve the group membership for a user and make access available based
on group membership. Your management of people/groups can be put off
onto AD or LDAP.
If your using apache, you can let apache handle authentication. Then
your application can get the username from apache and make decision on
authorization. Apache can do ldap, kerberos, ad and more.

Blake C. Lewis


#5

i’m still trying to figure out the best way to do this. all of the apps
i want to use are completely unrelated. i still want to keep everything
separate, so here’s what i’ve thought - please tell me if this idea is
completely ridiculous.

everything would have it’s own rails app, and it’s own database. each
app would have a standard table for the user information. and in the
user management application, i would have a table for all of the other
apps. in the table, i thought about having a field for the name of the
database that the application is using, so that when you create a user,
it will create it in both applications. the same for user deletions. not
everyone has access to every app, so it would only create a user in the
apps user table when the user is assigned to that application.

then, when that user logs in, he or she will get a list of applications
that they have access to. clicking on each one should then pass the
login information to that app automatically so they can use it.

i hope that makes sense to someone out there. it’s kind of confusing
myself, but i really need to come up with a solution for this really
soon.

thanks for your help,
josh


#6

On 4/28/06, Josh K. removed_email_address@domain.invalid wrote:

it will create it in both applications. the same for user deletions. not

thanks for your help,
josh

You might want to consider using CAS, which has a Ruby / Rails client
interface:
http://www.ja-sig.org/products/cas/

It’s pretty lightweight, as such things go, and is designed for this
type of task.