Sunday, May 17, 2009

Rails Authentication: restful_authentication vs. authlogic

I've been spending a bit of time comparing Rails authentication mechanisms. The two main frameworks out there are the "restful-authentication" and "authlogic" libraries. The two provide the same general purpose functionality; users, sessions, cookies and emails.

The Restful authentication library is the current popular choice. I believe this is due to it being one of the first real options, as well as coverage in books like "Advanced Rails Recipes". The library is incredibly complex and opaque though. It relies heavily on generators and hidden code to produce its functionality. The install instructions are an exercise in command line arguments rather than code.

Authlogic has proven to be far simpler to digest. No real magic involved. One of the stated goals of the library is to be able to treat sessions as you would an active record model. You create a session, save a session and destroy a session like you would any other model. There are no generators you write the code yourself, and there is very little of it. The basic set of columns you need for a "User" show you that the library is well thought out with regards to security and usefulness. There are a number of columns though and this leads to a heavy initial copy & paste though. I felt a bit dirty having to do that, but I'll get over it. The rest of the code I have to write is transparent and understandable, a big plus. Oh, and do not assume that because "restful" isn't in the title that it lacks there. It doesn't, follow the tutorial and you'll produce a very restful solution.

You can probably tell from the above two paragraphs that I'm favoring Authlogic at this point. I definitely like the transparency and simplicity of it. To learn more about Authlogic you can follow along with the README in the main repository as well as the fantastic tutorial app. There are also a few extra tutorials on Ben Johnson's blog around password resets and openId.

2 comments:

Sharad Jain said...

Not surprising that one of the first things of interest to you (Spring-Security guy) is rails-security.

What do you think about Relevance from thoughtworks.

Also, which of these offer ACL stuff. restful_auth doesn't, authlogic also doesn't - atleast not out of the box, I guess. There is acl9 and acl9 - Padlock Authorization that I came across but I haven't tried them yet.

Ray Krueger said...

I can't even find Relevance to look at it. Got a link?

I did momentarily look at Clearance from Thoughtbot. I decided to narrow my search to two projects, and Clearance was big on generator voodoo like restful_auth.

My needs really didn't include ACL type stuff yet. Eventually I'll look into that, I'll probably just use scopes to limit searches and such for now.