> Can this same authentication method (based on the salted hash login
> generator) be used to authenticate web service access? Or, should
> some
> other authentication method be used? i.e. each user must retrieve an
> authentication token manually before setting something up to use web
> services. It seems this is how many online services work, right? Why
> is this preferred? How often should the user reset this
> authentication token?
Yes, you can definitely apply many of the principles on which the
salted login generator is based. After the user is logged in, your
application can provide a session token that is valid for a certain
amount of time. Every time it is used, you can reauthorize it for an
additional renewal duration. You''ll want to tie the session key to
the account in some way; I would also recommend the machine, but HTTP
proxies make using the IP address of the remote host impractical.
> As I re-read this message, I realize this has less to do with Rails.
> Does anyone have any pointers to good WS resources?
WS-Security is the established standard for this sort of thing. It''s
fairly complex, but a lot of client APIs already support it out of
the box.
The OASIS standards are available at:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
They''re broken into username and password authentication, SOAP
message security, and the use of standard X.509 authentication over
SOAP.
Unfortunately, I don''t think supporting any of this from inside
ActiveWebService is even possible, but maybe that''s an area in which
we can push for some progress (with enough encouragement from other
users).
-Ben