Hi all, How do folks generally secure their Rails web services? A password in a config file? A ''webservice'' user in a ''Users'' table with its own password? LDAP authentication for every method? Only authenticate on the "important" methods? Something else I''m not thinking of? I''d like to be secure, yet practical, for the sake of current and future developers. What approach do Rails folks generally take? Thanks, Dan
Daniel Berger wrote:> Hi all, > > How do folks generally secure their Rails web services? A password in a > config > file? A ''webservice'' user in a ''Users'' table with its own password? > LDAP > authentication for every method? Only authenticate on the "important" > methods? > Something else I''m not thinking of? > > I''d like to be secure, yet practical, for the sake of current and future > developers. > > What approach do Rails folks generally take? > > Thanks, > > DanI would be interested in this as well. In our case, only pre-authorized users can access our service, so they must transmit a pre-determined identified with the request. If the id does not match a known id (in our database) the call is rejected (using before_invocation) Keith -- Posted via http://www.ruby-forum.com/.
On 4/11/06, Daniel Berger <Daniel.Berger@qwest.com> wrote:> Hi all, > > How do folks generally secure their Rails web services? A password in a config > file? A ''webservice'' user in a ''Users'' table with its own password? LDAP > authentication for every method? Only authenticate on the "important" methods? > Something else I''m not thinking of? > > I''d like to be secure, yet practical, for the sake of current and future > developers. > > What approach do Rails folks generally take?You can utilize https protocol and pass user name and password with every method. Or you can try to use wss4r. It depends on whichever solution best fits your needs. -- Kent --- http://www.datanoise.com
I use a simple method -- I send up the username/password and use the same authentication as the web app, every time. It''s not terribly secured though, but my app is not a highly secured anyway. Just to prevent a user to accidentally adding or erasing another user''s data. I''m looking at WSS4R, looks promising just gotten it to work today. Keith Lancaster wrote:> Daniel Berger wrote: > >> Hi all, >> >> How do folks generally secure their Rails web services? A password in a >> config >> file? A ''webservice'' user in a ''Users'' table with its own password? >> LDAP >> authentication for every method? Only authenticate on the "important" >> methods? >> Something else I''m not thinking of? >> >> I''d like to be secure, yet practical, for the sake of current and future >> developers. >> >> What approach do Rails folks generally take? >> >> Thanks, >> >> Dan >> > > I would be interested in this as well. In our case, only pre-authorized > users can access our service, so they must transmit a pre-determined > identified with the request. If the id does not match a known id (in our > database) the call is rejected (using before_invocation) > > Keith > >-- Sau Sheong http://blog.saush.com http://read.saush.com http://jaccal.sourceforge.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060411/916bfa0f/attachment.html