I was moving a application for network management in Rails into a production environment.
It had originally started out as something for my own use.
Of course I did not do security for a single user app.
In previous apps I'd used authenticated system with ldap to give a sign-on.
I wanted easier and tighter integration. NTLM comes to mind, as you can just clink a link,
and your windows login is re-used for your web application.
The problem has always been that mongrel does not support NTLM.
Well that solved now. Thanks to the work of Seggy Umboh, there is a new
NTLM filter for mongrel.
This actually passes you the windows domain user name
directly into your controller.
To get mongrel to use the filter, you must pass a config file, as
documented in the readme.
Then you need a few things in your app:
First in your routes:
map.connect 'ntlm/login', :controller => 'account', :action => 'login'
I added this so the ntlm mongrel filter will chain to my account controller. That way
your "user" controller can remain unchanged. I just prefer to keep them separate.
Easier to add into existing systems that way.
The in the account controller you need the following:
class AccountController < ApplicationController
my_user_name = request.env['REMOTE_USER']
session[:logged_in] = :false
myuser = User.find(:first, :conditions => ["name = ?", my_user_name])
myuser = User.new
myuser.name = my_user_name
session[:current_user] = my_user_name
session[:user_id] = myuser.id
session[:logged_in] = :true
Then you need a little helper lib. This one is cut down from authenticated system.
This should be in you lib directory.
# Returns true or false if the user is logged in.
# Preloads @current_user with the user model if they're logged in.
if session[:logged_in] == :false
pp "Access Denied"
# Redirect as appropriate when an access request fails.
# Our application only uses ntlm based login - you must be part of the domain
# Store the URI of the current request in the session.
# We can return to this location by calling #redirect_back_or_default.
session[:return_to] = request.request_uri
# Redirect to the URI stored by the most recent store_location call or
# to the passed default.
session[:return_to] ? redirect_to(session[:return_to]) : redirect_to(default)
session[:return_to] = nil
Finally in your application.rb
# Filters added to this controller apply to all controllers in the application.
# Likewise, all the methods added will be available for all controllers.
class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time
include NtlmSystem # Add this for NTLM to work
# See ActionController::RequestForgeryProtection for details
# Uncomment the :secret if you're not using the cookie session store
protect_from_forgery :secret => '6e2f000403020a0d9041a7bfb069239d'
# See ActionController::Base for details
# Uncomment this to filter the contents of submitted sensitive data parameters
# from your application log (in this case, all fields with names like "password").
When you start your application, make sure you do it like this:
mongrel_rails start -S config\mongrel_ntlm.conf
After reading, on NTLM, and playing with it, I found the URL are a bit picky, if you
want to use the app, without needing to key your username and password
http://servername:3000/ work perfectly fine.
If you put the whole name, it tends to ask you the user name and password