Dave Myron
2006-Feb-28 23:34 UTC
[Rails] Authentication on delegated web service methods -or- How the heck do I protect these things?
I need to restrict access to only certain parts of a web service I''m building. Instead of requiring a client to submit their user/pass with each interaction I''d like to login them in once (currently using acts_as_authenticated in the rest of the site) and not have to fuss with it again during that session. Only problem is I can''t use AAA on an ActionWebService descendant since it relies on methods only available to ActionController (such as session). I could make the API controller itself restricted with AAA but then I have no control over api_methods restrictions - it''s either all or nothing, AFAICT. Anybody have any pointers to best practices for this scenario? dave myron principal, technical director contentfree ? 206.855.5580 phone | 206.774.2767 fax ? dave.myron@contentfree.com ? 337 1st ave ne. suite 100, issaquah, wa 98027 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060228/8fdbcad0/attachment.html
Kent Sibilev
2006-Mar-01 00:04 UTC
[Rails] Authentication on delegated web service methods -or- How the heck do I protect these things?
You can do something like:
class MyService < ActionWebService::Base
def initialize(controller)
@controller = controller
end
def remote_method
@controller.session[:key]
end
end
class MyServiceController < ActionController::Base
web_service(:remote) { MyService.new(self) }
end
Note, in order to use sessions from the controller, you soap client
must mainain and send cookies along with all requests. Otherwise with
every request a new session will be created.
Pesonaly I''d pass username/password with every request.
--
Kent
On 2/28/06, Dave Myron <dave.myron@contentfree.com>
wrote:>
>
>
> I need to restrict access to only certain parts of a web service
I''m
> building.
>
> Instead of requiring a client to submit their user/pass with each
> interaction I''d like to login them in once (currently using
> acts_as_authenticated in the rest of the site) and not have to fuss with it
> again during that session. Only problem is I can''t use AAA on an
> ActionWebService descendant since it relies on methods only available to
> ActionController (such as session).
>
> I could make the API controller itself restricted with AAA but then I have
> no control over api_methods restrictions - it''s either all or
nothing,
> AFAICT.
>
> Anybody have any pointers to best practices for this scenario?
>
> dave myron
> principal, technical director
>
> contentfree
> ? 206.855.5580 phone | 206.774.2767 fax
> ? dave.myron@contentfree.com
> ? 337 1st ave ne. suite 100, issaquah, wa 98027
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>
Dave Myron
2006-Mar-01 06:20 UTC
[Rails] Authentication on delegated web service methods -or- Howthe heck do I protect these things?
I tried exactly what you had suggested but I think that your final suggestion is what I''m going to be doing. Thanks, Dave PS. I did notice that wss4r was released recently. I might look into that in the future too. ================================== Pesonaly I''d pass username/password with every request. -- Kent