Multiple applications using Authlogic, authenticating users in one database?

Question

I've seen the question asked a few times on the Google groups but no one seems to follow-up with an answer or solution.. Is it possible to use a central database for User creation and authentication from multiple Rails applications using Authlogic?

It isn't an option for me to use OpenID right now, I'd love to but my client does not support it yet.

Answer 1

It seems that there still hasn't been a solution posted to the original question.

I had a similar problem. I had multiple rails applications and I needed to be able to track users between activity on all of them. So, I wanted to have a single application for managing users and tracking and all the other applications would connect to this user database to authenticate.

I was already using Authlogic for some other projects, so I was hoping that it would be as simple as changing some configuration settings.

Here's My solution:

I created the main user tracking application. There was nothing special about the application. It allowed users to register, log in, log out, etc. Once users were logged in they could then navigate to the other apps.

In the environments.rb file of my user application and every application needing to authenticate with the base application, you need to set up the session key and domain to be the SAME.

config.action_controller.session = {
  :session_key => '_my_app_session',
  :secret      => '_long_secret_session_key_here',
  :domain => ".basedomain.com" 
}

Each of my applications are under their own subdomain, such as app1.basedomain.com app2.basedomain.com I'm not sure if this would work otherwise without some more changes.

In each application, Create the UserSession

class UserSession < Authlogic::Session::Base   
end

and User models.

class User < ActiveRecord::Base
   establish_connection "users_database"
   acts_as_authentic 
end

What is different in this User model is that it now has the establish connection method. the "users_database" is in the database.yml file and points to the database for the central user management application.

I didn't go as far as having log in and log out throughout my sub-applications, but if you did you would have to create the UserSessionsController as well.

In each application that uses authentication, I included some helper methods in the ApplicationController, for example,

   def current_user_session
      return @current_user_session if defined?(@current_user_session)
      @current_user_session = UserSession.find
   end

   def current_user
      return @current_user if defined?(@current_user)
      @current_user = current_user_session && current_user_session.record
   end

   def require_user
     unless current_user
       store_location
       redirect_to 'http://main_user_login_page'
       return false
     end
   end

Then I can use 'require_user' in my controllers where I want authentication just like I can in my main user application.

Hope this helps.

Chase M Gray

Answer 2

From a design point of view, have you thought about creating a system dedicated to handle the user information and authentication. Then have your other applications connect to that system through a secure API, most likely internal. You can keep your databases separated, and keep the user database secure by only allowing access through the API.

Answer 3

The short answer is "Yes." Sure. Sharing a user model between applications isn't fundamentally different from sharing any other type of model between applications. Heck, you could potentially even pull your user data via REST with ActiveResource if you didn't mind it being a little bit slow.

But if Authlogic and solutions like it aren't a locked-in business constraint, there are other ways to handle SSO (single sign-on) besides just OpenID. Take a look at RubyCAS, Castronaut (maybe with Casablanca for a client), or for a totally different approach, Hancock.

Answer 4

I think the best way yould be to implement an OpenID system.
It'd allows your users to authenticate not only on your applications but almost anywhere with their login and password.

Answer 5

Personally i don't like OpenID, people tend to think it's a little bit more secure than it is.

As for your question, i don't see any reason why you can't do that, you'll have to put some extra care on security (user can only log in to the app/domain he is allowed to for ex).

The only problem i see is that you can't share only one table between apps, by default, you'll have to use the same database for all your apps, a no-no.

But, there is a way you can point a model to a different database, i would recommend the [link text][1] gem. although it's meant for a completely different usage, you should be able to use it to point each of your apps to a specific, different database for your user's model.

[1]: http://github.com/fiveruns/data_fabric data_fabric