We've been building an ecommerce application for an online bookstore. Now we've reached one of the most important stages in the application's design: building in the security to prevent malicious hackers from wreaking havoc. This four-part series shows you how to protect your application. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).
Security for a Rails Ecommerce Application - Using the Authentication Plugin (Page 2 of 4 )
We can create a simple authentication framework for our Rails application by using the acts_as_authenticatedplugin (http://technoweenie.stikipad.com/plugins/show/ Acts+as+Authenticated), written by Rails core team member Rick Olson.
Letís start by installing the plugin in our application. Enter the following command to tell the Rails plugin framework to look for plugins in the given repository:
Now that the plugin is installed, the next step is to generate the models and controllers for authentication. The plugin installs custom generators just for this, so all we need to do is to execute the following command:
$ script/generate authenticated user account
As you can see from the output, thegeneratecommand created the following:
A new model namedUserand a new controller namedAccountController, as well as tests for both of them
The views for the login functionality and a new module containing the authentication code,AuthenticatedSystem, in thelibdirectory
A new migration (db/migrate/009_create_users.rb) to bring the new user model into the database, shown in Listing 8-1
Listing 8-1. ActiveRecord Migration for the Users Table
Great! We now have a working authentication framework deployed in our system.
If you take a look at the beginning of the newAccountControllerinapp/controllers/ account_controller.rb, you can see thatAuthenticatedSystemis mixed in the controller:
class AccountController < ApplicationController # Be sure to include AuthenticationSystem in Application Controller instead include AuthenticatedSystem ...
However, we want the authentication system to be available to other controllers as well, so letís move theincludeline fromAccountControllertoApplicationControllerinapp/controllers/application.rb:
class ApplicationController < ActionController::Base include AuthenticatedSystem
def initialize_cart ...
AsApplicationController is the parent class of all our controllers, authentication functionality is now provided throughout our application. Itís only a matter of putting it into action where necessary.
Since we want to make the tests provided by the plugin work as well, we also move the following line from theAccountControllerTestclass intest/functional/account_controller_test.rbto the beginning of theTest::Unit::TestCaseclass intest/test_helper.rb:
With our authentication framework in place, weíre ready to implement our authentication user stories.
Implementing the User Stories
As usual, we will take the TDD approach while implementing the user authentication system. For this sprint, we will use integration tests, as we have done in previous chapters.