Home arrow Ruby-on-Rails arrow Security for a Rails Ecommerce Application

Security for a Rails Ecommerce Application

We've been building an ecommerce application for an online bookstore. Now we've reached one of the most important stages in the application's design: building in the security to prevent malicious hackers from wreaking havoc. This four-part series shows you how to protect your application. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 2
June 14, 2010
  1. · Security for a Rails Ecommerce Application
  2. · Using the Authentication Plugin
  3. · Implementing the Log In User Story
  4. · Adding the Filter

print this article

Security for a Rails Ecommerce Application
(Page 1 of 4 )

Our application is already fairly extensive. George can administer all kinds of things in the application, including books, authors, and publishers. However, the application has one major shortcoming: Anyone can browse to the administrative part of the site and wreak havoc by deleting and editing information.

In this chapter, we will show you how to implement a basic authentication system for an application with the help of theacts_as_authenticatedplugin. We will also take a look at some common security problems in web applications and give you tips on how to use Rails to avoid them.

Getting the Authentication Requirements

We need to support three basic scenarios in the Emporiumís authentication system:

  1. Log in: George has just gotten his hands on Henrik MŚrtenssonís Pro Ruby, and absolutely wants to add it to his catalog. However, as he hasnít logged in already, when he tries to access the admin section of the site, he is redirected to a login page. George gives his credentials and is automatically redirected to the add book page, where he tried to go in the first place. 
  2. Fail log in: While George is busy maintaining his catalog, another guy tries to access the admin pages, too. His name is Dirty Harry and his intentions are too evil to print here. Luckily for George, Harry doesnít know the admin username and password. Harry is redirected to the login page, just as George is. Here, he tries to log in with scott/tiger, so his attempts fail, and he is just shown the login form with an error message each time. 
  3. Reset password: George has an amazing memory. Itís just sometimes a bit short. Thus, occasionally, he forgets his password to the system. Then he just clicks a link to reset his password, and the system sends him the new one by e-mail. After he has received the new password, he can again log in to the system successfully.

Once we put together the authentication system, George will sleep a lot more peacefullyóhe wonít need to worry about people wreaking havoc on the Emporium site.

blog comments powered by Disqus

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials