We're starting to put some real effort into combining our separate systems under a central authentication system and i have a lot of random thoughts. 

1. Rubycas server code is readable and very easy to understand. I had issues with gems and conflicts, though and ended up spending a bunch of time upgrading to RubyEE, paths, reinstalling gems, and then upgrading passenger.  Once I had everything back to normal, I installed rubycas-server 0.7.1 with picnic 0.7.0.  No other configuration would work for me on either Leopard or Debian.

2. Unless I'm doing something stupid, it looks like there's a bug in either the way rubycas-server picks up the referring URL/Protocol or in the way rubycas-client is sending it.  I need to dig in a little more, but under Merb I kept getting a camping error complaining about the url.  The simple temporary fix while I look into things was to edit merb/filter.rb and edit this line in read_service_url:

service_url = request.protocol + '://' + request.host / controller.url(params.to_hash.symbolize_keys!)

3. Getting single-sign-out working looks tricky, but I'm going to spend a little time on it and see what happens.  It looks like there are several options that look pretty much reasonable.

4. It's not good to authenticate every request, especially if you think about things like handling uploads and ajax actions. I made a quick modification to filter.rb to add a 'force_cas_check' method that I use on specific actions that I definitely want checked.  For example... I'll use the regular cas_filter on 99% of my actions, but on the primary landing pages or on the first steps of certain processes, I'm going to use this force_cas_check method to make sure they haven't logged out somewhere.

5. OAuth looks like a good option to allow API requests across my aps, but I havent tried anything with it yet.

Everyone remember a few months back when Facebook adjusted their TOS with "scary" wordage that got the whole community in an uproar, then apologized profusely and re-directed themselves? It was seen by many as a 'positive step in the right direction' and showed that they 'really care what their users think.'  I saw dozens of facebook groups talking about how "angry" people were about the new TOS... people threatening to leave Facebook and never come back, or something.  Seriously, guys? 

Now Digg has this awful framejacking toolbar thinger that clearly was designed to just boost their own stats, and it's causing a similar fuss.  Digg will undoubtedly backtrack and 'listen' to their users and remove it.  As if they wouldn't have seen this coming if they had done even the tiniest bit of research.  To suggest that they didn't know in advance what the reaction would be seems pretty naïve to me.

Companies from all industries have to be more agile, pay more attention to their customers, etc., but this isn't an example of that in action, in my opinion.  To me, being agile means being able to learn and adapt quickly to build what your customers actually want... not shifting your direction at the whims of whatever marketing dept. came up with these ideas, then shifting back when you 'realize' you've ticked people off.

People for whatever reason (probably because most people don't actually have real problems) want to feel like they have a 'cause' to go after.  It feels to me like it's becoming a trend to just do something completely off the wall so you give them the cause, then once it's big enough, backtrack and act apologetic.

Apparently, my cause du jour is to fight against idiotic causes.

Our sites use several applications and legacy systems that don't automatically crop/resize graphics and whatnot.  Ideally, the apps would take whatever they are given, convert to a nice format, crop/resize accordingly, then put them in the right place.  Some of our apps do this already, but some of the older ones don't have this ability.

We also have a lot of random users using a lot of different projects, and it is hard to keep the limits for each project straight.  Over time, more and more people involved forget the limits, so they do whatever they think looks good, and by the time several months go by, there is no more standard.  

Using imagemagick, twitter, and hpricot, I wrote a short ruby script that grabs the pages that end up getting published & checks them for consistency.  If it finds a problem, it'll send me a quick msg on twitter & log the error so we can put real eyes on the problem and get it fixed.  I tossed this into a cron job that will run every morning, so I don't have to remember to run this script all the time.

It's quick and dirty, but it gets the job done.  I'm sure there are ways to clean it up and make it more efficient, but I'm not going to worry about that right now.