-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the authenticates_rpi wiki!
This plugin serves as an authentication and authorization extension to rails in environments with CAS authentication. It provides a session controller for login/logout, as well as extensions to ActionContoller that allow for convenient interaction with session information.
This page will give an overview of installation and use of the plugin in the most basic case.
Outline:
- 1. Installation
- 1.1. Download
- 1.2. Configuration
- 2. Use
- 2.1. Login and Logout
- 2.2. Session Interaction
- 2.3. Model-based Authorization
- 3. Feedback
To install authentication, you will install the three plugins, and configure them.
All commands are run from the rails application’s base directory unless noted.
Three plugins are required: rubCAS-client, authenticates_access, and of course authenticates_rpi. There are multiple methods for installing each, but script/plugin install should suffice for most.
To begin, rubyCAS client is required to communicate with the CAS server.
script/plugin install http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
The rubyCAS client may also be installed as a gem, an SVN external, or a git submodule. See rubyCAS-client on RubyForge.
Authorization for resources is available through authenticates_access (though the authentication functionality of authenticates_rpi will work fine without it). For details on the plugin see http://www.asquaredlabs.com/article/authenticates_access.
ruby script/plugin install git://github.com/asquared/authenticates_access.git
It is also possible to install authenticates_access as a git submodule, in order to more easily track updates.
Use one of these methods to install authenticates_rpi:
For the run-of-the-mill install:
script/plugin install authenticates_rpi
If you’d like to easily track updates and your project is a git project, as a git submodule to your git project. Read more at Rubaidh Ltd.‘s blog: Using git submodules to track plugins.
git submodule add git://github.com/mikldt/authenticates_rpi.git vendor/plugins/authenticates_rpi
When you run a status on your git project, you should see changes to .gitmodules and /vendor/rails/authenticates_rpi (which looks like one file). Commit it to your project to reference the current version of the plugin. When it comes time to update (or make changes to the plugin) go to vendor/rails/authenticates_rpi . When doing new deployments of your app, you’ll need to run git submodule init to pull the right version of the repo down from github into the working copy.
Of course, if your project is not under version control, you can simply checkout the code.
git clone git://github.com/mikldt/authenticates_rpi.git vendor/plugins/authenticates_rpi
rubyCAS client is configured via a block added to the bottom of config/environment.rb. Full details are at the “rubyCAS-client documentation”:
The plugin is configured with one line in the Application Controller. Add the following to app/controllers/application_controller.rb within the class definition:
authenticate_rpi Person, :username_field => 'username', :admin_field => 'is_admin'
The model that you use for the user (“accessor” in some circles) is entirely definable by you. Replace Person above with User, Profile, or whatever class your application uses to store users.
Similarly, the field that you use for the username is user-definable. This is a required argument. Pass into :username_field the name of the field where you store the ID. This field should match the username returned from CAS, and it should be unique for each row.
Finally, you may specify an admin_field if you want to include the concept of an administrator in your application. This is not required – it simply offers a way to use the builtin helper methods to identify when there’s an admin logged in from the controller or view. The optional :admin_field argument will take the name of a database field or a method defined in the model. It is expected to return true if the user is an admin, and false otherwise.
If there is no admin field specified, all of the admin checks will return false.
With the plugin installed, you will be able to log users in and out, and determine their status. authenticates_access will also provide model-level security for writes, and provide access checks for restricting presentation to edit and create views to authorized users.
Login and Logout functionality is provided by the Sessions Controller within the authenticates_rpi plugin.
Login link example:
link_to "login", new_session_path
Logout link example:
link_to 'logout', session_path, :method => :delete
Several methods are available for interacting with the current login. These are available to all controllers, and to views and layouts )as helper methods).
-
logged_in?– Returns true if the current user has been authenticated with CAS and exists in the database. -
admin_logged_in?– Returns true if the current user is an admin. Determined by the return value of the:admin_fieldprovided at configuration. If no admin field is configured, this method will return false. -
current_user– Fetches the current user. Returns an object of the accessor class specified at configuration time which corresponds to the username by CAS.
Authorization for individual models and attributes is provided if authenticates_access is installed. Authorization rules for creating and modifying records may be determined in each model. The plugin will prevent unauthorized modfications, and provide methods for controllers and views to additionally test for authorization for linking, etc..
Learn more about authenticates_access at asquared labs.
The plugin is currently a Developer Preview. For questions, feel free to message mikldt on github, and with issues please use the github Issues system. Right now my focus is getting this running on a few of my own webapps, but long-term, I’d like to make this as useful for a wide audience, and get the code fully tested and up to snuff. Comments welcome!