Home arrow Ruby-on-Rails arrow Securing the Login for a Rails Ecommerce Application

Securing the Login for a Rails Ecommerce Application

In the first part of this four-part series we started to learn about security for an ecommerce application in Ruby-on-Rails. In this second part we're going to test some of what we did in the first part, and implement some important login features. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 5
June 17, 2010
  1. · Securing the Login for a Rails Ecommerce Application
  2. · Implementing the Fail Log In User Story
  3. · Adding the Flash Message
  4. · Adding Login Links and Styling

print this article

Securing the Login for a Rails Ecommerce Application
(Page 1 of 4 )

Testing Redirection

The last part of the story was that after successful login, George is redirected to the page he tried to access in the first place.acts_as_authenticatedshould do this for us automatically. Letís extend our integration test (authentication_test.rb) as follows to make sure.

require "#{File.dirname(__FILE__)}/../test_helper"

class AuthenticationTest < ActionController::IntegrationTest
def setup
User.create(:login => "george",
                :email =>
                :password => "cheetah",
                :password_confirmation => "cheetah")

  def test_successful_login
    george = enter_site(:george)

    george.logs_in_successfully("george", "cheetah")


  module BrowsingTestDSL
    include ERB::Util
    attr_writer :name

    def tries_to_go_to_admin
      get "/admin/book/new"
      assert_response :redirect
      assert_redirected_to "/account/login"

    def logs_in_successfully(login, password)
      post_login(login, password)
      assert_response :redirect
      assert_redirected_to "/admin/book/new"


    def post_login(login, password)
      post "/account/login", :login => login, :password => password

  def enter_site(name)
open_session do |session|
      session.name = name
      yield session if block_given?

In the beginning of the test, we use thesetupmethod, which is automatically run before every test method, to create George as a user in the system. Then we create another DSL method for logging in to the system successfully. We extracted the actual posting of the login credentials to a private method, because we will need the same code later when we test a failed login. All our new method tests is that after successful login, George is redirected to/admin/book/new, the page he tried to access before he was thrown to the login page.

Running the test again shows that the authentication system indeed remembers where George was heading:

$ ruby test/integration/authentication_test.rb

Loaded suite test/integration/authentication_test Started
Finished in 0.192056 seconds.

1 tests, 6 assertions, 0 failures, 0 errors --------------------------------------------

Trying to access the admin pages in a browser confirms what the test already says. As you can see in Figure 8-1, if you havenít logged in successfully, youíre redirected to the login page.

Figure 8-1.  Accessing the admin pages redirects to the login page

blog comments powered by Disqus

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials