Forum: Ruby on Rails Authentication on delegated web service methods -or- How the

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Dave Myron (Guest)
on 2006-03-01 01:35
(Received via mailing list)
I need to restrict access to only certain parts of a web service I'm

Instead of requiring a client to submit their user/pass with each
interaction I'd like to login them in once (currently using
acts_as_authenticated in the rest of the site) and not have to fuss with
it again during that session. Only problem is I can't use AAA on an
ActionWebService descendant since it relies on methods only available to
ActionController (such as session).

I could make the API controller itself restricted with AAA but then I
have no control over api_methods restrictions - it's either all or
nothing, AFAICT.

Anybody have any pointers to best practices for this scenario?

dave myron
principal, technical director

â?¡ 206.855.5580 phone | 206.774.2767 fax
â?  removed_email_address@domain.invalid
â?? 337 1st ave ne. suite 100, issaquah, wa 98027
Kent S. (Guest)
on 2006-03-01 02:04
(Received via mailing list)
You can do something like:

class MyService < ActionWebService::Base
   def initialize(controller)
      @controller = controller

   def remote_method

class MyServiceController < ActionController::Base
    web_service(:remote) { }

Note, in order to use sessions from the controller, you soap client
must mainain and send cookies along with all requests. Otherwise with
every request a new session will be created.

Pesonaly I'd pass username/password with every request.

Dave Myron (Guest)
on 2006-03-01 08:20
(Received via mailing list)
I tried exactly what you had suggested but I think that your final
suggestion is what I'm going to be doing. Thanks,


PS. I did notice that wss4r was released recently. I might look into
that in
the future too.


Pesonaly I'd pass username/password with every request.

This topic is locked and can not be replied to.