User login and authentication

Being a rails newbie, I started to design our first rails-based webapp. This app should not only be used via browsers, but we also want to provide a (RESTful) api. I love the 'convention over configuration' paradigm, but am totally clueless on what to do when it comes to user authentication. Is there a THE rails-way of doing this?

I found many excellent gems and plugins, such as AAA or thoughtbot's clearance. However, I keep asking myself, why not just use HTTP (digest) authentication? I may be missing something, but why do big players such as Facebook implement their own (token- and secret-based) scheme?

What are you guys using? What is your favorite gem/plugin for user auth?

Here are my favorite two summary discussions along with a pointer to a general security site. For my work the distinction between authentication and authorization (user name and user role) is important. I use a combination of plugins and gems to fill my needs since I feel site security is one area of coding that clearly benefits from a large user base.

hi rick,

thanks for the help, read the sites with great interest! for my project, we won't need authorization, basic (but strong, i.e., bcrypt strong) authentication will do. do you use either of these tools?

- Clearance - restful-authentication - Authlogic

I can't figure out which to use/try first by reading the resp. docs.

cheers, phibo

+1 for Authlogic (and if you want roles too try acl9)

Hongli Lai wrote a nice article about bcrypt, which might be helpful to you.