Rails - Jul 2006 - Webservices Xml-Rpc and authentication

Hello,

I want to build an application where i have client and server. I need to exacute
commands with XM-RPC. I can get all this working, following the howto''s
in wiki and main
website.
But the problem is they are all unsecure. I can''t seem to find any web
service examples
where they use authentication, or ssl.

Just wondering if anyone know how i go about doing this.
At the moment all i can think of is sending username and password with every
method.

These are the howto''s i''m following:
http://wiki.rubyonrails.com/rails/pages/HowtoWriteAXmlRpcService
http://manuals.rubyonrails.com/read/book/10

Thanks for any help

-- 
Website: http://www.mooktakim.com
email: mma@mooktakim.com

"Md Mooktakim Ahmed" <mma@mooktakim.com> writes:
> Hello,
>
> I want to build an application where i have client and server. I need to
exacute
> commands with XM-RPC. I can get all this working, following the
howto''s in wiki and main
> website.
> But the problem is they are all unsecure. I can''t seem to find any
web service examples
> where they use authentication, or ssl.
>
> Just wondering if anyone know how i go about doing this.
> At the moment all i can think of is sending username and password with
every method.
>
This book might help, I myself haven''t tried it yet.
http://www.oreilly.com/catalog/websor/

In case, you purchase it, do let us know how did you find it.

HTH.
-- 
Surendra Singhi
http://ssinghi.kreeti.com, http://www.kreeti.com
Read my blog at: http://cuttingtheredtape.blogspot.com/
,----
| "O thou my friend! The prosperity of Crime is like unto the lightning,
| whose traitorous brilliancies embellish the atmosphere but for an
| instant, in order to hurl into death''s very depths the luckless one
| they have dazzled." -- Marquis de Sade
`----

Surendra Singhi wrote:
> "Md Mooktakim Ahmed" <mma@mooktakim.com> writes:
> 
> This book might help, I myself haven''t tried it yet.
> http://www.oreilly.com/catalog/websor/
> 
I own that PDF "Book".  It doesn''t mention authentication in
it.  I can
recommend the book though, its got some good stuff - you just won''t
find
any kind of login type stuff.

-- 
Posted via http://www.ruby-forum.com/.

hhmm,
Its VERY strange.
I haven''t done any xml-rpc or SOAP stuff before. But i would think
authentication would
be the first thing people do. Only way i can think of now is the have a login
menthod.
The after that use a random token for the rest of the methods.
Maybe even change the token every time randomly. So here it is:

login(username, password) --> returns [true, random_token]

get_user_data(token) --> returns [[some_data], new_random_token]

and so on.
Can anyone else think of a better way?

On Fri, July 14, 2006 7:40 pm, Bob Yann wrote:
> Surendra Singhi wrote:
>
>> "Md Mooktakim Ahmed" <mma@mooktakim.com> writes:
>>
>>
>> This book might help, I myself haven''t tried it yet.
>> http://www.oreilly.com/catalog/websor/
>>
>>
>
> I own that PDF "Book".  It doesn''t mention
authentication in it.  I can
> recommend the book though, its got some good stuff - you just
won''t find any kind of
> login type stuff.
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>

-- 
Website: http://www.mooktakim.com
email: mma@mooktakim.com

> hhmm,
> Its VERY strange.
> I haven''t done any xml-rpc or SOAP stuff before. But i would think
authentication would
> be the first thing people do. Only way i can think of now is the have a
login menthod.
> The after that use a random token for the rest of the methods.
> Maybe even change the token every time randomly. So here it is:
>
> login(username, password) --> returns [true, random_token]
>
> get_user_data(token) --> returns [[some_data], new_random_token]
>
> and so on.
> Can anyone else think of a better way?
I recently did an XML-RPC service with authentication and just used 
standard HTTP auth stuff.  It''s worked just fine so far.

That said, I wouldn''t do it that way again.  There''s no good
way to get at
the login information (yes, you can get it, but not in the models).  I 
think I''d go with something you have above and have them pass it in as
the
first argument to every method.  That way you have it easily available so 
you can do things with it (throttle certain users, delays, etc.)

-philip
>
> On Fri, July 14, 2006 7:40 pm, Bob Yann wrote:
>> Surendra Singhi wrote:
>>
>>> "Md Mooktakim Ahmed" <mma@mooktakim.com> writes:
>>>
>>>
>>> This book might help, I myself haven''t tried it yet.
>>> http://www.oreilly.com/catalog/websor/
>>>
>>>
>>
>> I own that PDF "Book".  It doesn''t mention
authentication in it.  I can
>> recommend the book though, its got some good stuff - you just
won''t find any kind of
>> login type stuff.
>>
>> --
>> Posted via http://www.ruby-forum.com/.
>> _______________________________________________
>> Rails mailing list
>> Rails@lists.rubyonrails.org
>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>
>>
>>
>
>
> -- 
> Website: http://www.mooktakim.com
> email: mma@mooktakim.com
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

Where would be the best place to store to current token?
Should it be session? I haven''t worked this about yet :) Still thinking
out loud.

On Fri, July 14, 2006 9:19 pm, Philip Hallstrom wrote:
>> hhmm, Its VERY strange.
>> I haven''t done any xml-rpc or SOAP stuff before. But i would
think authentication
>> would be the first thing people do. Only way i can think of now is the
have a login
>> menthod. The after that use a random token for the rest of the methods.
>> Maybe even change the token every time randomly. So here it is:
>>
>>
>> login(username, password) --> returns [true, random_token]
>>
>> get_user_data(token) --> returns [[some_data], new_random_token]
>>
>> and so on. Can anyone else think of a better way?
>>
>
> I recently did an XML-RPC service with authentication and just used
> standard HTTP auth stuff.  It''s worked just fine so far.
>
> That said, I wouldn''t do it that way again.  There''s no
good way to get at
> the login information (yes, you can get it, but not in the models).  I
think I''d go with
> something you have above and have them pass it in as the first argument to
every method.
> That way you have it easily available so
> you can do things with it (throttle certain users, delays, etc.)
>
> -philip
>
>
>>
>> On Fri, July 14, 2006 7:40 pm, Bob Yann wrote:
>>
>>> Surendra Singhi wrote:
>>>
>>>
>>>> "Md Mooktakim Ahmed" <mma@mooktakim.com>
writes:
>>>>
>>>>
>>>>
>>>> This book might help, I myself haven''t tried it yet.
>>>> http://www.oreilly.com/catalog/websor/
>>>>
>>>>
>>>>
>>>
>>> I own that PDF "Book".  It doesn''t mention
authentication in it.  I can
>>> recommend the book though, its got some good stuff - you just
won''t find any kind of
>>>  login type stuff.
>>>
>>> --
>>> Posted via http://www.ruby-forum.com/.
>>> _______________________________________________
>>> Rails mailing list
>>> Rails@lists.rubyonrails.org
>>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Website: http://www.mooktakim.com
>> email: mma@mooktakim.com
>>
>>
>> _______________________________________________
>> Rails mailing list
>> Rails@lists.rubyonrails.org
>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>
>>
>
>

-- 
Website: http://www.mooktakim.com
email: mma@mooktakim.com

On Fri, Jul 14, 2006 at 12:14:11AM +0100, Md Mooktakim Ahmed
wrote:
> I want to build an application where i have client and server. I need to
exacute
> commands with XM-RPC. I can get all this working, following the
howto''s in wiki and main
> website.
> But the problem is they are all unsecure. I can''t seem to find any
web service examples
> where they use authentication, or ssl.
Adding SSL support to the webrick in rails is pretty simple, and adding
verification of client-side certificates is trivial from there.  Presenting
the cert from the client end is pretty simple, too.

Client-side certs aren''t that great if you''re trying to let
random people
in, but most authenticated web services are there for the use of a limited
set of people, so the certificate management burden isn''t too bad.  If
you''re doing something where you''ve got people (eg) doing
their own
accounts, then you''ll want a login method that returns a session
"cookie",
and then that gets passed as the first parameter to every other method, so
the user can prove that they''re logged in.

- Matt

-- 
How about "suspender snapping three martini lunching mahogany tabled
conference room equipped with overhead projector dwelling golden parachute
flying bill gates specifying buzzword spewing computerworld and datamation
reading trend bandwagoneering meeting going morons".  -- Tom
O''Toole