forked from technoweenie/restful-authentication
-
Notifications
You must be signed in to change notification settings - Fork 0
Attempt to add SSL client certificate support to the restful_authenctication plugin
labria/restful-authentication
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
by labria: This is a fork of the restful_authentication plugin including client certificate logon. It's still totally raw, has too much hardcoded stuff and lacks some things, but you know, "release early, release often" =) It add a new option, --use-certificates First of all, create a dir named "cert" in your rails root. I frankly don't know how to do it from the generator, I'll fix this later. Second, after installing the plugin, edit the config/initializers/cert_config.rb with some of your data. Please, don't change the paths just yet. Actually, you can leave the defaults, except for domainname and hostname, you better hadrcode those to the server where you'll be using this. Now, run "rake cert:create_ca", this will create theCA needed to sign your user certficates. If you don't have a server certificate for your domain, you can create a self- signed one using "rake cert:server_cert", using the options from the bottom of cert_config.rb Now, you have to configure your server. This is the tricky part. I'm using nginx, and here's what i did: If the user comes with https without a cert, redirect him back to http. If he does have a cert, pass its subject string as the HTTP_X_SSL_CLIENT_S_DN header. You can see the config in one of my posts on the subject at http://blog.startika.com So what you have to do, is to make your server pass the certificate string as X_SSL_CLIENT_S_DN to the app. I'm not sure how it's done with other servers, please send me instructions =) So, now you have a UsersController#get_cert action, which gives the user his certificate in a p12 file, and the https://youserver.com/session/new page which auto-logons the user if he presents his certificate. Not much, but it's still nice to provide such things. If you have any questions, comments, suggestions or correction please contact me any way you please, by email at [email protected], for example. Original readme follows. Restful Authentication Generator ==== This is a basic restful authentication generator for rails, taken from acts as authenticated. Currently it requires Rails 1.2.6 or above. To use: ./script/generate authenticated user sessions \ --include-activation \ --stateful The first parameter specifies the model that gets created in signup (typically a user or account model). A model with migration is created, as well as a basic controller with the create method. The second parameter specifies the sessions controller name. This is the controller that handles the actual login/logout function on the site. The third parameter (--include-activation) generates the code for a ActionMailer and its respective Activation Code through email. The fourth (--stateful) builds in support for acts_as_state_machine and generates activation code. This was taken from: http://www.vaporbase.com/postings/stateful_authentication You can pass --skip-migration to skip the user migration. If you're using acts_as_state_machine, define your users resource like this: map.resources :users, :member => { :suspend => :put, :unsuspend => :put, :purge => :delete } Also, add an observer to config/environment.rb if you chose the --include-activation option config.active_record.observers = :user_observer # or whatever you # named your model Security Alert ==== I introduced a change to the model controller that's been tripping folks up on Rails 2.0. The change was added as a suggestion to help combat session fixation attacks. However, this resets the Form Authentication token used by Request Forgery Protection. I've left it out now, since Rails 1.2.6 and Rails 2.0 will both stop session fixation attacks anyway.
About
Attempt to add SSL client certificate support to the restful_authenctication plugin
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- Ruby 100.0%