Web service authentication


#1

after almost a week of trial and error, i’ve finally got a hold of
creating a web service in rails. after all this time though, i’m still
not quite sure if i can make it work the way i want it to.

i was basically trying to create a login portal so that the users at our
company can have one place to login for all of our internal
applications. well, right now - i can have each of the apps pull the
user information from the user portal, but i don’t know how to go the
other way around. basically i need to pass the user information to each
one of the apps, and forward the user to the location at the same time.
any ideas or help will be greatly appreciated.


#2

Josh K. wrote:

after almost a week of trial and error, i’ve finally got a hold of
creating a web service in rails. after all this time though, i’m still
not quite sure if i can make it work the way i want it to.

i was basically trying to create a login portal so that the users at our
company can have one place to login for all of our internal
applications. well, right now - i can have each of the apps pull the
user information from the user portal, but i don’t know how to go the
other way around. basically i need to pass the user information to each
one of the apps, and forward the user to the location at the same time.
any ideas or help will be greatly appreciated.

You might want to have a look at http://openid.net . The OpenID system
sounds real close to what your want. In particular, you might be able to
modify the OpenID client and server code to get what you need.

Oh, and check out http://openprofile.net for my own extensions to the
OpenID protocol.

–Al Evans


#3

Yeah, I’m doing the same for my company.

This is my situation, there are three sectors in the company with web
applications:

WA = Web Application

Systems sector
WA1
WA2
WA3
Development sector
WA4
WA5
WA6
Portal sector (my sector)
WA7

Basically, if you wanted to log in into WA1, you have to put a
user/password, and then, if you wanted to log into WA2, or WA4, or
whatever, you need to put another user/password.
My solution is to create a unified login service.
I’m creating a login application in rails, I have information about
every web application (the web name, the IP address, and encryption
keys).
¿Why encryption keys? Because in my company, everyone is crazy about
security (although you can hack anything at anytime), if you want to do
something, you have to promise that your solution is the most secure in
the world.
So I use RSA encryption, for every WA I have two pairs of public/private
keys, so in WA1 I encrypt the message with public key 1 and send it to
the login service, and in the login service I decipher with the private
key 1, and then, in the login service I encrypt again with the public
key 2 and then I decipher the message with private key 2.
I also have an IP filter, at first by iptables, and then in the web
services, in my login service I only accept connections for the IPs
where the WA are.
And now, the real thing, how do I ensure that if you log into WA1 with a
user/password, this one works with WA2?
Well, I just add a kind of backdoor into every web application… this
is an example:

  • I go to WA1 in my explorer.

  • I go to the login page

  • I put my user/password, WA1 encrypt the data and send it to the login

    service, ask if the user is valid, the login services says to the WA1
    “every ok, it’s the client number 7” so I let the user pass.
    In the WA1, I show the user links to go into WA2, WA3, and WA5.

  • The user clicks in WA3 link.

  • Whe the user licked in WA3, he invoked the action redirect_to_WA(3),
    so I redirect the user to WA3, with his user and password encrypted, WA3
    automatically checks the user/password in the login service, every it’s
    ok so the user is logged in with just one click.

My problem is in the last step, by now, I have to redirect the user with
a GET action, but actually, I’ll have to redirect him with a POST
action, because the GET can be hold into the navigation memory, and I
don’t want that the user store the user/password in his navigation’s
memory, so, I’m working in the last step right now, trying to get the
user logged in into WA3 by an automatic post and not by an GET action.

Rodrigo D.

Iplan Networks Datos Personales
removed_email_address@domain.invalid removed_email_address@domain.invalid
www.iplan.com.ar www.rorra.com.ar
5031-6303 15-5695-6027

-----Mensaje original-----
De: removed_email_address@domain.invalid
[mailto:removed_email_address@domain.invalid] En nombre de Al Evans
Enviado el: Jueves, 04 de Mayo de 2006 08:22 p.m.
Para: removed_email_address@domain.invalid
Asunto: [Rails] Re: web service authentication

Josh K. wrote:

after almost a week of trial and error, i’ve finally got a hold of
creating a web service in rails. after all this time though, i’m still

not quite sure if i can make it work the way i want it to.

i was basically trying to create a login portal so that the users at
our
company can have one place to login for all of our internal
applications. well, right now - i can have each of the apps pull the
user information from the user portal, but i don’t know how to go the
other way around. basically i need to pass the user information to
each
one of the apps, and forward the user to the location at the same
time.
any ideas or help will be greatly appreciated.

You might want to have a look at http://openid.net . The OpenID system
sounds real close to what your want. In particular, you might be able to

modify the OpenID client and server code to get what you need.

Oh, and check out http://openprofile.net for my own extensions to the
OpenID protocol.

–Al Evans


Posted via http://www.ruby-forum.com/.


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


#4

Rodrigo D. wrote:

My problem is in the last step, by now, I have to redirect the user with
a GET action, but actually, I’ll have to redirect him with a POST
action, because the GET can be hold into the navigation memory, and I
don’t want that the user store the user/password in his navigation’s
memory, so, I’m working in the last step right now, trying to get the
user logged in into WA3 by an automatic post and not by an GET action.

Rodrigo, I had actually thought this through and was leaning towards an
almost identical solution. that last little bit is the part that i
wasn’t sure how to do. i have been reading about setting up drb so the
sessions can be shared, and then just storing the user_id in a shared
session over the netword. then all the apps can use that to pull the
users specific information for that app through web services. i’m not
sure if that’s the way things work though.

i may just pass it through a get request for now until i find something
better. if i think of something, i can let you know. i’d appreciate it
if you could do the same. thanks for your help.


#5

If you’re going to so much trouble you might as well meet the needs of
an SSO
spec.!

You could check out Shibboleth - http://shibboleth.internet2.edu/ .

Nick


#6

Central Authentication Service is what we’re using here… It is a Java
application but there are ways to use the service from just about
anything
and it is just so easy to use it in Rails. It’s kinda tricky to set up
but
only because we’re using a Microsoft Active Directory for our users.

http://www.ja-sig.org/products/cas/