forked from technoweenie/restful-authentication
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
85 lines (62 loc) · 3.68 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
by labria:
This is a fork of the restful_authentication plugin including client certificate logon.
It's still totally raw, has too much hardcoded stuff and lacks some things, but you know,
"release early, release often" =)
It add a new option, --use-certificates
First of all, create a dir named "cert" in your rails root. I frankly don't know how to do
it from the generator, I'll fix this later.
Second, after installing the plugin, edit the config/initializers/cert_config.rb with some
of your data. Please, don't change the paths just yet. Actually, you can leave the defaults,
except for domainname and hostname, you better hadrcode those to the server where you'll be
using this. Now, run "rake cert:create_ca", this will create theCA needed to sign your user
certficates. If you don't have a server certificate for your domain, you can create a self-
signed one using "rake cert:server_cert", using the options from the bottom of cert_config.rb
Now, you have to configure your server. This is the tricky part. I'm using nginx, and here's
what i did:
If the user comes with https without a cert, redirect him back to http. If he does have a
cert, pass its subject string as the HTTP_X_SSL_CLIENT_S_DN header. You can see the config
in one of my posts on the subject at http://blog.startika.com
So what you have to do, is to make your server pass the certificate string as X_SSL_CLIENT_S_DN
to the app. I'm not sure how it's done with other servers, please send me instructions =)
So, now you have a UsersController#get_cert action, which gives the user his certificate in
a p12 file, and the https://youserver.com/session/new page which auto-logons the user if he
presents his certificate. Not much, but it's still nice to provide such things.
If you have any questions, comments, suggestions or correction please contact me any way
you please, by email at [email protected], for example.
Original readme follows.
Restful Authentication Generator
====
This is a basic restful authentication generator for rails, taken
from acts as authenticated. Currently it requires Rails 1.2.6 or above.
To use:
./script/generate authenticated user sessions \
--include-activation \
--stateful
The first parameter specifies the model that gets created in signup
(typically a user or account model). A model with migration is
created, as well as a basic controller with the create method.
The second parameter specifies the sessions controller name. This is
the controller that handles the actual login/logout function on the
site.
The third parameter (--include-activation) generates the code for a
ActionMailer and its respective Activation Code through email.
The fourth (--stateful) builds in support for acts_as_state_machine
and generates activation code. This was taken from:
http://www.vaporbase.com/postings/stateful_authentication
You can pass --skip-migration to skip the user migration.
If you're using acts_as_state_machine, define your users resource like this:
map.resources :users, :member => { :suspend => :put,
:unsuspend => :put,
:purge => :delete }
Also, add an observer to config/environment.rb if you chose the
--include-activation option
config.active_record.observers = :user_observer # or whatever you
# named your model
Security Alert
====
I introduced a change to the model controller that's been tripping
folks up on Rails 2.0. The change was added as a suggestion to help
combat session fixation attacks. However, this resets the Form
Authentication token used by Request Forgery Protection. I've left
it out now, since Rails 1.2.6 and Rails 2.0 will both stop session
fixation attacks anyway.