Hi all,

I’ve currently developing a rails application which relies on a
further application server to get and store data.

Regarding authentication, I’m currently looking at the brilliant
Authlogic as a solution. However, I’m wondering whether it’s worth
moving the password storage and checking up to the application server.

It would work something like this:

  1. A user submits a username and password to the Rails app.
  2. Rails then passes these to the application server, which then
    checks the credentials and returns a user and time based auth key.
  3. Rails then uses this key to access the application server. At the
    moment no key is required, and the Rails app can call anything on the
    application server.

-If the Rails app or webserver it’s running on is compromised, the
there is no direct access to the application server (since the
attacker would still not be able to generate auth keys).

-Increased complexity.
-Missing out on a lot of clever Authlogic stuff.

So I guess the general question is whether removing the authentication
from the Rails application is overkill or not: should I instead assume
managing passwords on Rails is just as strong as pushing it up the the
application server? How do most Rails applications manage their
passwords? How do they fare?