"Security and Identity" ~ Justin Gehtland
RubyConf 200790% of all Rails apps just use acts_as_authenticated/restful_authentication and nothing more.
Redundant implementations across apps (usually generated). Comingled storage … you don’t want cryptographically secure user information in the blog application. You’d really want a shared, centralized user application.
Two types of centralized authentication.
A private version is behind a firewall, a LAN, a corporate environment. Login in the morning, don’t have to log in again for each app. RSA ClearTrust is an example of a single sign-on enterprise application. Costs about $2 million. Gets a company someone to sue.
A public version such as OpenID allows you to create a unique identity, identified by a URL. Vendor supported, by not controlled.
Inside a private network, there is trust. You know who the person is. In a public network, someone can create an identity on OpenID and you have no idea if they are who they claim to be.
A company can also allow their employees to use their public OpenIDs on their private networks.
ruby-openid … dependencies on net transports and Yadis (OpenID + directory service) … Yadis is unusual, people don’t typically use it.
Central Authentication Service (CAS) … Yale created it for their academic community, released it as open source. Java-based implementation. There is a Ruby-based CAS version called rubycas-client written in Camping.
“High Performance Websites” O’Reilly book
Many applications stop at a database. In the enterprise world, you run into LDAP, NTLM, and SSOs. The CAS client has the “authenticator” model and includes these.
Authentication store creates a piece of data (session) on authentication/authorization requests. When the user goes to the second app and is automatically authenticated by the session data.
A nonce is a salt, arbitrarily created data for one-time use.
Use TLS and have the browser look at the certificate.
Bank of America’s approach to security includes a SiteKey that only the user knows.
restful_open_id_authentication plugin, create note scaffold, create User and Account controllers.
If you’re mixing public and private in your app, you need to offer login screens. Typically, you don’t want admins to use OpenID.
You never want authorization rules in a central server. Just authentication. OAuth (http://oauth.net/) is an option.
gem install rubcas-server
Get an SSL certificate. First et up certificate authority … /System/Library/OpenSSL/misc/CA.pl -newca … then the certificate /System/Library/OpenSSL/misc/CA.pl -newreq
Pass the .pems into your config.yml, then set up the authenticator in config.yml. Password column should not be in plain text.
sudo rubycas-server, type in your SSL password
Install rubycas-client.
require ‘cas_auth’ in environment.rb, specify base_url and server_name
In prod, store the root certificate so you don’t get the message asking user to confirm the certificate.
A lot of cryptography going on, the random string generator could be stronger.