Having authenticated with WebAuth using an SSO username and password, the PHP script is executed. As you can see, the PHP script is passed a parameter which is the URL of a login page of a Rails application. The only thing the PHP script does is to redirect to that URL passing a parameter that is a base64 encoded string: https://www.abcd.ox.ac.uk:8113/apps/contacts/login?id=base64string The id parameter is the base64 encoded version of an encryption of the username and the current date and time.

The login method of the Rails application looks at the id parameter, decodes it and then unencrypts it. So it now has the username and the date and time. In order to avoid replay attacks, the Rails application checks that the date and time refers to a recent date and time. It also checks that the username is in a list of valid usernames. If both these tests are passed, it sets a session variable (session[:user_id]) to “OK”; otherwise, it is set to “BAD”. Having authenticated, subsequent methods of the Rails application are executed in the usual way, i.e., by using the URL of the method, e.g.: https://www.abcd.ox.ac.uk:8113/apps/contacts/add
We need to alter the code of the controller of the Rails application so that it has a call of before_filter.

This call can ensure that a method called authenticate is called before any method of the Rails application is called. The authenticate method can be similar to the authenticate method introduced in the document Rails HOW-TO: Apache and Basic Authentication, which is available at http://www.oucs.ox.ac.uk/rails/howtos
There is one change: the method has been altered to deliver true if the session variable session[:user_id] has the value “OK”. Otherwise, it gives a 401 error (meaning Not authorised).

Download pdf Rails HOW-TO: Authenticating with WebAuth