Forum: Ruby on Rails Authentication on delegated web service methods -or- How the

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Dave Myron (Guest)
on 2006-03-01 01:35
(Received via mailing list)
I need to restrict access to only certain parts of a web service I'm
building.

Instead of requiring a client to submit their user/pass with each
interaction I'd like to login them in once (currently using
acts_as_authenticated in the rest of the site) and not have to fuss with
it again during that session. Only problem is I can't use AAA on an
ActionWebService descendant since it relies on methods only available to
ActionController (such as session).

I could make the API controller itself restricted with AAA but then I
have no control over api_methods restrictions - it's either all or
nothing, AFAICT.

Anybody have any pointers to best practices for this scenario?

dave myron
principal, technical director

contentfree
â?¡ 206.855.5580 phone | 206.774.2767 fax
â?  removed_email_address@domain.invalid
â?? 337 1st ave ne. suite 100, issaquah, wa 98027
Kent S. (Guest)
on 2006-03-01 02:04
(Received via mailing list)
You can do something like:

class MyService < ActionWebService::Base
   def initialize(controller)
      @controller = controller
   end

   def remote_method
        @controller.session[:key]
   end
end

class MyServiceController < ActionController::Base
    web_service(:remote) { MyService.new(self) }
end


Note, in order to use sessions from the controller, you soap client
must mainain and send cookies along with all requests. Otherwise with
every request a new session will be created.

Pesonaly I'd pass username/password with every request.

--
Kent
Dave Myron (Guest)
on 2006-03-01 08:20
(Received via mailing list)
I tried exactly what you had suggested but I think that your final
suggestion is what I'm going to be doing. Thanks,

Dave

PS. I did notice that wss4r was released recently. I might look into
that in
the future too.


===================================

Pesonaly I'd pass username/password with every request.

--
Kent
This topic is locked and can not be replied to.