[Rails] Authentication on delegated web service methods -or- How
the heck do I protect these things?
Kent Sibilev
ksruby at gmail.com
Wed Mar 1 00:04:12 GMT 2006
You can do something like:
class MyService < ActionWebService::Base
def initialize(controller)
@controller = controller
end
def remote_method
@controller.session[:key]
end
end
class MyServiceController < ActionController::Base
web_service(:remote) { MyService.new(self) }
end
Note, in order to use sessions from the controller, you soap client
must mainain and send cookies along with all requests. Otherwise with
every request a new session will be created.
Pesonaly I'd pass username/password with every request.
--
Kent
On 2/28/06, Dave Myron <dave.myron at contentfree.com> wrote:
>
>
>
> I need to restrict access to only certain parts of a web service I'm
> building.
>
> Instead of requiring a client to submit their user/pass with each
> interaction I'd like to login them in once (currently using
> acts_as_authenticated in the rest of the site) and not have to fuss with it
> again during that session. Only problem is I can't use AAA on an
> ActionWebService descendant since it relies on methods only available to
> ActionController (such as session).
>
> I could make the API controller itself restricted with AAA but then I have
> no control over api_methods restrictions - it's either all or nothing,
> AFAICT.
>
> Anybody have any pointers to best practices for this scenario?
>
> dave myron
> principal, technical director
>
> contentfree
> ⊡ 206.855.5580 phone | 206.774.2767 fax
> ⊠ dave.myron at contentfree.com
> ⊟ 337 1st ave ne. suite 100, issaquah, wa 98027
>
> _______________________________________________
> Rails mailing list
> Rails at lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>
More information about the Rails
mailing list