Home arrow Ruby-on-Rails arrow Page 2 - Security for a Rails Ecommerce Application
RUBY-ON-RAILS

Security for a Rails Ecommerce Application


We've been building an ecommerce application for an online bookstore. Now we've reached one of the most important stages in the application's design: building in the security to prevent malicious hackers from wreaking havoc. This four-part series shows you how to protect your application. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 2
June 14, 2010
TABLE OF CONTENTS:
  1. · Security for a Rails Ecommerce Application
  2. · Using the Authentication Plugin
  3. · Implementing the Log In User Story
  4. · Adding the Filter

print this article
SEARCH DEVARTICLES

Security for a Rails Ecommerce Application - Using the Authentication Plugin
(Page 2 of 4 )

We can create a simple authentication framework for our Rails application by using the acts_as_authenticatedplugin (http://technoweenie.stikipad.com/plugins/show/ Acts+as+Authenticated), written by Rails core team member Rick Olson.

Letís start by installing the plugin in our application. Enter the following command to tell the Rails plugin framework to look for plugins in the given repository:

$ script/plugin source http://svn.techno-weenie.net/projects/plugins

--------------------------------------------Added 1 repositories.

Next, run the actualinstallcommand:

$ script/plugin install acts_as_authenticated

+ ./acts_as_authenticated/CHANGELOG
+ ./acts_as_authenticated/README  
+ ./acts_as_authenticated/generators/ authenticated/USAGE
... many lines omitted ...
Consult the Acts As Authenticated wiki for more: http://technoweenie.stikipad.com/plugins/show/ Acts+as+Authenticated

Now that the plugin is installed, the next step is to generate the models and controllers for authentication. The plugin installs custom generators just for this, so all we need to do is to execute the following command:

$ script/generate authenticated user account  

exists

app/models/

exists

app/controllers/

exists

app/helpers/

create

app/views/account

exists

test/functional/

exists

test/unit/

create

app/models/user.rb

create

app/controllers/account_controller.rb

create

lib/authenticated_system.rb

create

lib/authenticated_test_helper.rb

create

test/functional/account_controller_test.rb

create

app/helpers/account_helper.rb

create

test/unit/user_test.rb

create

test/fixtures/users.yml

create

app/views/account/index.rhtml

create

app/views/account/login.rhtml

create

app/views/account/signup.rhtml

exists

db/migrate

create

db/migrate/009_create_users.rb

As you can see from the output, thegeneratecommand created the following:

  1. A new model namedUserand a new controller namedAccountController, as well as tests for both of them 
     
  2. The views for the login functionality and a new module containing the authentication code,AuthenticatedSystem, in thelibdirectory 
     
  3. A new migration (db/migrate/009_create_users.rb) to bring the new user model into the database, shown in Listing 8-1

Listing 8-1. ActiveRecord Migration for the Users Table

class CreateUsers < ActiveRecord::Migration
  def self.up
    create_table "users", :force => true do |t|
      t.column :login,            :string
      t.column :email,            :string
      t.column :crypted_password, :string, :limit => 40
      t.column :salt,             :string, :limit => 40
      t.column :created_at,       :datetime
      t.column :updated_at,       :datetime
      t.column :remember_token,   :string
      t.column
:remember_token_expires_at,       :datetime
   
end
  end

  def self.down
    drop_table "users"
  end
end

Notice that the password will be stored in the database in an encrypted form.

Now letís run the migration to get our database up-to-date. (Donít forget to runrake db:test:clone_structureafterwards to clone the new additions to the test database, too.)

$ rake migrate

--------------------------------------------(in /home/george/projects/emporium)
== CreateUsers: migrating ===================================================== -- create_table("users", {:force=>true})
  
-> 0.2946s
== CreateUsers: migrated (0.2953s) ============================================

Great! We now have a working authentication framework deployed in our system.

If you take a look at the beginning of the newAccountControllerinapp/controllers/ account_controller.rb, you can see thatAuthenticatedSystemis mixed in the controller:

class AccountController < ApplicationController
  # Be sure to include AuthenticationSystem in Application Controller instead
 
include AuthenticatedSystem
 
...

However, we want the authentication system to be available to other controllers as well, so letís move theincludeline fromAccountControllertoApplicationControllerinapp/controllers/application.rb:

class ApplicationController < ActionController::Base
 
include AuthenticatedSystem

  private

  def initialize_cart
 
...

AsApplicationController is the parent class of all our controllers, authentication functionality is now provided throughout our application. Itís only a matter of putting it into action where necessary.

Since we want to make the tests provided by the plugin work as well, we also move the following line from theAccountControllerTestclass intest/functional/account_controller_test.rbto the beginning of theTest::Unit::TestCaseclass intest/test_helper.rb:

  include AuthenticatedTestHelper

With our authentication framework in place, weíre ready to implement our authentication user stories.

Implementing the User Stories

As usual, we will take the TDD approach while implementing the user authentication system. For this sprint, we will use integration tests, as we have done in previous chapters.


blog comments powered by Disqus
RUBY-ON-RAILS ARTICLES

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials