Yeah, I’m doing the same for my company.
This is my situation, there are three sectors in the company with web
applications:
WA = Web Application
Systems sector
WA1
WA2
WA3
Development sector
WA4
WA5
WA6
Portal sector (my sector)
WA7
Basically, if you wanted to log in into WA1, you have to put a
user/password, and then, if you wanted to log into WA2, or WA4, or
whatever, you need to put another user/password.
My solution is to create a unified login service.
I’m creating a login application in rails, I have information about
every web application (the web name, the IP address, and encryption
keys).
¿Why encryption keys? Because in my company, everyone is crazy about
security (although you can hack anything at anytime), if you want to do
something, you have to promise that your solution is the most secure in
the world.
So I use RSA encryption, for every WA I have two pairs of public/private
keys, so in WA1 I encrypt the message with public key 1 and send it to
the login service, and in the login service I decipher with the private
key 1, and then, in the login service I encrypt again with the public
key 2 and then I decipher the message with private key 2.
I also have an IP filter, at first by iptables, and then in the web
services, in my login service I only accept connections for the IPs
where the WA are.
And now, the real thing, how do I ensure that if you log into WA1 with a
user/password, this one works with WA2?
Well, I just add a kind of backdoor into every web application… this
is an example:
-
I go to WA1 in my explorer.
-
I go to the login page
-
I put my user/password, WA1 encrypt the data and send it to the login
service, ask if the user is valid, the login services says to the WA1
“every ok, it’s the client number 7” so I let the user pass.
In the WA1, I show the user links to go into WA2, WA3, and WA5.
-
The user clicks in WA3 link.
-
Whe the user licked in WA3, he invoked the action redirect_to_WA(3),
so I redirect the user to WA3, with his user and password encrypted, WA3
automatically checks the user/password in the login service, every it’s
ok so the user is logged in with just one click.
My problem is in the last step, by now, I have to redirect the user with
a GET action, but actually, I’ll have to redirect him with a POST
action, because the GET can be hold into the navigation memory, and I
don’t want that the user store the user/password in his navigation’s
memory, so, I’m working in the last step right now, trying to get the
user logged in into WA3 by an automatic post and not by an GET action.
Rodrigo D.
Iplan Networks Datos Personales
[email protected] [email protected]
www.iplan.com.ar www.rorra.com.ar
5031-6303 15-5695-6027
-----Mensaje original-----
De: [email protected]
[mailto:[email protected]] En nombre de Al Evans
Enviado el: Jueves, 04 de Mayo de 2006 08:22 p.m.
Para: [email protected]
Asunto: [Rails] Re: web service authentication
Josh K. wrote:
after almost a week of trial and error, i’ve finally got a hold of
creating a web service in rails. after all this time though, i’m still
not quite sure if i can make it work the way i want it to.
i was basically trying to create a login portal so that the users at
our
company can have one place to login for all of our internal
applications. well, right now - i can have each of the apps pull the
user information from the user portal, but i don’t know how to go the
other way around. basically i need to pass the user information to
each
one of the apps, and forward the user to the location at the same
time.
any ideas or help will be greatly appreciated.
You might want to have a look at http://openid.net . The OpenID system
sounds real close to what your want. In particular, you might be able to
modify the OpenID client and server code to get what you need.
Oh, and check out http://openprofile.net for my own extensions to the
OpenID protocol.
–Al Evans
–
Posted via http://www.ruby-forum.com/.
Rails mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails