Xmlrpc authentication

m94asr · September 16, 2006, 12:56pm

Hi all,

what is the recommended way to do user authentication for
xmlrpc ruby on rails webservices?

Thanks,
-Armin

m94asr · September 17, 2006, 1:09am

On Sat, Sep 16, 2006 at 10:52:17AM -0000, m94asr wrote:

Hi all,

what is the recommended way to do user authentication for
xmlrpc ruby on rails webservices?

Use http authentication. Put this into lib/http_authentication.rb:

From Peak Obsession

with a few

minor fixes.

module HttpAuthentication

protected

def http_authenticate([email protected] + ’ Web Password’,
errormessage=“Couldn’t authenticate you”)
username, passwd = get_http_authentication_data
# Check authorization
unless username
send_http_authentication_response(realm, errormessage) and return
end
user = User.authenticate(username, passwd)
unless user && user.isremote?
logger.info(“sending auth response”);
send_http_authentication_response(realm, errormessage) and return
end
# No session, so make this a class variable
@user = user
end

private

def send_http_authentication_response(realm, errormessage)
response.headers[“Status”] = “Unauthorized”
response.headers[“WWW-Authenticate”] = “Basic realm="#{realm}"”
render :text => errormessage, :status => 401
end

def get_http_authentication_data
user, pass = ‘’, ‘’
# extract authorisation credentials
if request.env.has_key? ‘X-HTTP_AUTHORIZATION’
# try to get it where mod_rewrite might have put it
authdata = request.env[‘X-HTTP_AUTHORIZATION’].to_s.split
elsif request.env.has_key? ‘Authorization’
# for Apace/mod_fastcgi with -pass-header Authorization
authdata = request.env[‘Authorization’].to_s.split
elsif request.env.has_key? ‘HTTP_AUTHORIZATION’
# this is the regular location
authdata = request.env[‘HTTP_AUTHORIZATION’].to_s.split
elsif request.env.has_key? ‘Authorization’
# this is the regular location, for Apache 2
authdata = @request.env[‘Authorization’].to_s.split
end

# at the moment we only support basic authentication
if authdata and authdata[0] == 'Basic'
  user, pass = Base64.decode64(authdata[1]).split(':')[0..1]
end
return [user, pass]

end

Then in the controller for your web service:

require_dependency “http_authentication”

class RemoteController < ApplicationController
include HttpAuthentication
wsdl_service_name ‘Remote’
web_service_api ‘Remote’
before_filter :http_authenticate
session :off
…
end

The only thing you probably need to worry about is the
“user = User.authenticate…” part in the http_authenticate method. I
use my regular user table, but with a type of “Remote”. Then only
those remote users may be used to get to web services, and non-remote
users may not be used.

Michael

Michael Darrin Chaney
[email protected]
http://www.michaelchaney.com/