Forum: Ruby on Rails Web services and security

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Daniel B. (Guest)
on 2006-04-11 19:14
(Received via mailing list)
Hi all,

How do folks generally secure their Rails web services?  A password in a
config
file?  A 'webservice' user in a 'Users' table with its own password?
LDAP
authentication for every method?  Only authenticate on the "important"
methods?
  Something else I'm not thinking of?

I'd like to be secure, yet practical, for the sake of current and future
developers.

What approach do Rails folks generally take?

Thanks,

Dan
Keith L. (Guest)
on 2006-04-11 19:24
Daniel B. wrote:
> Hi all,
>
> How do folks generally secure their Rails web services?  A password in a
> config
> file?  A 'webservice' user in a 'Users' table with its own password?
> LDAP
> authentication for every method?  Only authenticate on the "important"
> methods?
>   Something else I'm not thinking of?
>
> I'd like to be secure, yet practical, for the sake of current and future
> developers.
>
> What approach do Rails folks generally take?
>
> Thanks,
>
> Dan

I would be interested in this as well. In our case, only pre-authorized
users can access our service, so they must transmit a pre-determined
identified with the request. If the id does not match a known id (in our
database) the call is rejected (using before_invocation)

Keith
Kent S. (Guest)
on 2006-04-11 19:59
(Received via mailing list)
On 4/11/06, Daniel B. <removed_email_address@domain.invalid> wrote:
> What approach do Rails folks generally take?
You can utilize https protocol and pass user name and password with
every method. Or you can try to use wss4r. It depends on whichever
solution best fits your needs.

--
Kent
---
http://www.datanoise.com
Chang Sau S. (Guest)
on 2006-04-11 20:02
(Received via mailing list)
I use a simple method -- I send up the username/password and use the
same authentication as the web app, every time. It's not terribly
secured though, but my app is not a highly secured anyway. Just to
prevent a user to accidentally adding or erasing another user's data.

I'm looking at WSS4R, looks promising just gotten it to work today.

Keith L. wrote:
>>   Something else I'm not thinking of?
>
> I would be interested in this as well. In our case, only pre-authorized
> users can access our service, so they must transmit a pre-determined
> identified with the request. If the id does not match a known id (in our
> database) the call is rejected (using before_invocation)
>
> Keith
>
>


--
Sau S.

http://blog.saush.com
http://read.saush.com
http://jaccal.sourceforge.net
This topic is locked and can not be replied to.