User login and authentication

Being a rails newbie, I started to design our first rails-based
webapp. This app should not only be used via browsers, but we also
want to provide a (RESTful) api. I love the 'convention over
configuration' paradigm, but am totally clueless on what to do when it
comes to user authentication. Is there a THE rails-way of doing this?

I found many excellent gems and plugins, such as AAA or thoughtbot's
clearance. However, I keep asking myself, why not just use HTTP
(digest) authentication? I may be missing something, but why do big
players such as Facebook implement their own (token- and secret-based)
scheme?

What are you guys using? What is your favorite gem/plugin for user
auth?

Here are my favorite two summary discussions along with a pointer to a
general security site. For my work the distinction between
authentication and authorization (user name and user role) is
important. I use a combination of plugins and gems to fill my needs
since I feel site security is one area of coding that clearly benefits
from a large user base.

http://wiki.rubyonrails.org/howtos/authentication-authorization
http://www.vaporbase.com/postings/Authorization_in_Rails
http://www.rorsecurity.info/

hi rick,

thanks for the help, read the sites with great interest! for my
project, we won't need authorization, basic (but strong, i.e., bcrypt
strong) authentication will do. do you use either of these tools?

- Clearance
- restful-authentication
- Authlogic

I can't figure out which to use/try first by reading the resp. docs.

cheers,
phibo

+1 for Authlogic (and if you want roles too try acl9)

Hongli Lai wrote a nice article about bcrypt, which might be helpful to you.