开发者

How to perform a security authentication check in a Rails server

问答 作者:

I would like to use a web server based on Rails. But I have no idea about how to check a user's identification.

For example, a user named Guest could only perform actions like GET and UPDATE on certain tables, while another user named Admin could perform all possible actions such as P开发者_运维知识库OST.

I am new to this area, but I heard there are some technicals like SQL injection could threaten the security of the web server.

So, could you tell me how to check the authentication and how to encrypt password entered by the user?

What you seem to be wanting is authentication and authorization.

For authentication:
https://github.com/plataformatec/devise
https://github.com/vpereira/authlogic
https://github.com/thoughtbot/clearance

For authorization:
https://github.com/be9/acl9
https://github.com/ryanb/cancan

This is strictly speaking out of my personal experience. I have tried all of the suggested authentication and authorization gems mentioned above, but I always came to the conclusion that its not more or less work to just write it yourself, especially when your requirements a very simple. Consider this:

class ApplicationController < ActionController::Base
  before_filter :authentication

  def authentication
    redirect_to '/authentication_form' unless session[:logged_in]
  end

  def authentication_form
    ... render the form
  end

  def login
    if params[:username] == 'adam' && params[:password] == 'eva'
      session[:logged_in] = true
      redirect_to '/restricted_area'
    else
      render :action => 'authentication_form'
    end
  end
end

class RestrictedController < ApplicationController
  def index
    ... this action is now restricted
  end
end

This is not complete, of course but it demonstrates how easy authentication can be with rails. Instead of checking users and passwords through controller code, you could query the database like this:

if User.find_by_name_and_password(params[:username], params[:password])
  session[:logged_in] = true
...

For authorization you would have to save the users identity within the session hash which allows you to restrict access from within every action (provided the controller is a derived from ApplicationController)

I hope, this helps.

继续阅读:authenticationruby-on-railswebserver

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9