User login and authentication

Being a rails newbie, I started to design our first rails-based
webapp. This app should not only be used via browsers, but we also
want to provide a (RESTful) api. I love the ‘convention over
configuration’ paradigm, but am totally clueless on what to do when it
comes to user authentication. Is there a THE rails-way of doing this?

I found many excellent gems and plugins, such as AAA or thoughtbot’s
clearance. However, I keep asking myself, why not just use HTTP
(digest) authentication? I may be missing something, but why do big
players such as Facebook implement their own (token- and secret-based)
scheme?

What are you guys using? What is your favorite gem/plugin for user
auth?

Here are my favorite two summary discussions along with a pointer to a
general security site. For my work the distinction between
authentication and authorization (user name and user role) is
important. I use a combination of plugins and gems to fill my needs
since I feel site security is one area of coding that clearly benefits
from a large user base.

http://wiki.rubyonrails.org/howtos/authentication-authorization
http://www.vaporbase.com/postings/Authorization_in_Rails

hi rick,

thanks for the help, read the sites with great interest! for my
project, we won’t need authorization, basic (but strong, i.e., bcrypt
strong) authentication will do. do you use either of these tools?

  • Clearance
  • restful-authentication
  • Authlogic

I can’t figure out which to use/try first by reading the resp. docs.

cheers,
phibo

+1 for Authlogic (and if you want roles too try acl9)

phibo wrote:

hi rick,

thanks for the help, read the sites with great interest! for my
project, we won’t need authorization, basic (but strong, i.e., bcrypt
strong) authentication will do. do you use either of these tools?

  • Clearance
  • restful-authentication
  • Authlogic

I can’t figure out which to use/try first by reading the resp. docs.

I haven’t used Clearance, but based on my experience with the other two,
I’d recommend Authlogic.

cheers,
phibo

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Hongli L. wrote a nice article about bcrypt, which might be helpful to
you.

heimdull wrote:

+1 for Authlogic (and if you want roles too try acl9)

I’ve been using rails_authorization for roles. I seem to recall that
acl9 didn’t seem like much last time I looked at it, but I’ve been
hearing enough about it that I may have to take another look.

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]