具有内部jar安全性的Rails自定义身份验证



我们公司使用一个带有java代码的jar文件来验证用户是否可以访问内部网站。到目前为止,我已经能够将jar文件集成到一个设计策略中,允许用户登录。然而,当我运行代码时,我会成功登录/重定向,然后是未经授权的/重定向登录。

Started POST "/login" for 0:0:0:0:0:0:0:1 at 2017-01-09 11:05:40 -0500
(7.0ms)  SELECT name FROM sqlite_master WHERE type = 'table' AND name =  "schema_migrations"
ActiveRecord::SchemaMigration Load (2.0ms)  SELECT "schema_migrations".* FROM "schema_migrations"
Processing by Devise::SessionsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"WCrhgdRgZsQng2rgHdhnCBB7me5lAfhvDxwYrMpMUxfUdMN0fN/PjBHJPIUxMYiNjoJlaLsCIlQdN4WmbPlclg==", "user"=>{"email"=>"<valid email>", "password"=>"[FILTERED]"}, "commit"=>"Log in"}
Custom Authenticate
Authenticated=true
{:username=>"<valid un>", :firstname=>"", :lastname=>"", :fullname=>"", :email=>""}
(0.0ms)  SELECT name FROM sqlite_master WHERE type = 'table' AND NOT name = 'sqlite_sequence'
Redirected to http://localhost:3000/ideas
Completed 302 Found in 825ms (ActiveRecord: 2.0ms)

Started GET "/ideas" for 0:0:0:0:0:0:0:1 at 2017-01-09 11:05:42 -0500
Processing by IdeasController#index as HTML
User Load (1.0ms)  SELECT  "users".* FROM "users" WHERE "users"."id" IS NULL ORDER BY "users"."id" ASC LIMIT 1
Completed 401 Unauthorized in 34ms (ActiveRecord: 1.0ms)

Started GET "/login" for 0:0:0:0:0:0:0:1 at 2017-01-09 11:05:42 -0500
Processing by Devise::SessionsController#new as HTML
Rendered /Users/un/.rbenv/versions/jruby-9.1.2.0/lib/ruby/gems/shared/gems/devise-4.2.0/app/views/devise/shared/_links.html.erb (6.0ms)
Rendered /Users/un/.rbenv/versions/jruby-9.1.2.0/lib/ruby/gems/shared/gems/devise-4.2.0/app/views/devise/sessions/new.html.erb within layouts/application (60.0ms)
Completed 200 OK in 1724ms (Views: 1684.7ms | ActiveRecord: 0.0ms)

我假设这是我的user.rb.中":database_authenticatable"行的一部分

User.rb:

class User < ActiveRecord::Base
#include ActiveModel::Model
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable #, :registerable,
#:recoverable, :rememberable, :trackable, :validatable
attr_accessor :username
attr_accessor :firstname
attr_accessor :lastname
attr_accessor :fullname
attr_accessor :email
end

自定义可验证策略

module Devise
module Strategies
class CustomAuthenticatable < Authenticatable
def authenticate!
puts "Custom Authenticate"
if password.present? && has_valid_credentials?
#puts "Username and password:" + password
puts authentication_hash[:email]
authorized = jar.authenticate(authentication_hash[:email], password);
puts "Authenticated=" + authorized
if authorized == false
return fail!
else
personInfo = jar.getPerson(username);
puts personInfo
personHash = {:username => personInfo.userName, 
:firstname => personInfo.firstName, 
:lastname => personInfo.lastName,
:fullname => personInfo.longName,
:email => personInfo.emailAddress}
puts personHash
return success! User.new(personHash)
end
else
fail(:unable_to_authenticate)
end
end
def has_valid_credentials?
true
end
end
end
end

但是,当我从:database_authenticatable更改为:custom_authenticatable时,我不再有users/sign_in路由。

路由为:database_authenticatable

Prefix Verb   URI Pattern               Controller#Action
ideas GET    /ideas(.:format)          ideas#index
POST   /ideas(.:format)          ideas#create
new_idea GET    /ideas/new(.:format)      ideas#new
edit_idea GET    /ideas/:id/edit(.:format) ideas#edit
idea GET    /ideas/:id(.:format)      ideas#show
PATCH  /ideas/:id(.:format)      ideas#update
PUT    /ideas/:id(.:format)      ideas#update
DELETE /ideas/:id(.:format)      ideas#destroy
new_user_session GET    /login(.:format)          devise/sessions#new
user_session POST   /login(.:format)          devise/sessions#create
destroy_user_session DELETE /logout(.:format)         devise/sessions#destroy
root GET    /                         redirect(301, /ideas)

路由为:custom_authenticatable

Prefix Verb   URI Pattern               Controller#Action
ideas GET    /ideas(.:format)          ideas#index
POST   /ideas(.:format)          ideas#create
new_idea GET    /ideas/new(.:format)      ideas#new
edit_idea GET    /ideas/:id/edit(.:format) ideas#edit
idea GET    /ideas/:id(.:format)      ideas#show
PATCH  /ideas/:id(.:format)      ideas#update
PUT    /ideas/:id(.:format)      ideas#update
DELETE /ideas/:id(.:format)      ideas#destroy
root GET    /                         redirect(301, /ideas)

我有点不知所措,不知道该怎么继续。我还发现OmniAuth可能会允许我做同样的事情,尽管我不确定如何设置回调阶段。我是否值得花时间继续走Devise策略的道路,尝试允许登录,还是应该停止我正在做的事情,使用OmniAuth?

如果值得我花时间继续设计路线,下一步会是什么?

这是我第一次安装Devise,因为我过去的大部分Rails经验都是修改现有的Rails应用程序。提前谢谢。

参考文献:(我会包括所有参考文献的链接,但我缺乏足够的信誉点来发布更多链接)

设计身份验证策略

如何与设计人员和管理员创建自定义身份验证策略https://www.ldstudios.co/blog/2016/06/15/how-to-create-custom-authentication-strategies-with-devise-and-warden.html

为OmniAuth编写非宝石化策略http://www.polyglotprogramminginc.com/writing-a-non-gemified-strategy-for-omniauth/

编辑实际上我已经非常接近答案了。我没有正确设置Devise,而是直接访问Warden,也就是说,我能够"登录",然后立即从我的应用程序中注销。

config/initializers/device.rb(错误的方式)

config.warden do |manager|  
manager.strategies.add(:custom_authenticatable, Devise::Strategies::CustomAuthenticatable)
manager.default_strategies(:scope => :user).unshift :custom_authenticatable
end

这导致调用了custom_authenticable代码,但仍在尝试为用户使用本地数据库。当我对devise.rb进行以下更改时(如ldstudios博客中所述),它开始按预期工作。

config/initializers/device.rb(正确的方式)

Devise.add_module(:custom_authenticatable, {
strategy: true,
controller: :sessions,
model: 'custom_auth',
route: :session
})

omniauth路由还不错。您可以在omniauth标识中对提供者进行子类化,并添加自定义登录逻辑。

相关内容

  • 没有找到相关文章

最新更新