Authentication on delegated web service methods -or- How the


#1

I need to restrict access to only certain parts of a web service I’m
building.

Instead of requiring a client to submit their user/pass with each
interaction I’d like to login them in once (currently using
acts_as_authenticated in the rest of the site) and not have to fuss with
it again during that session. Only problem is I can’t use AAA on an
ActionWebService descendant since it relies on methods only available to
ActionController (such as session).

I could make the API controller itself restricted with AAA but then I
have no control over api_methods restrictions - it’s either all or
nothing, AFAICT.

Anybody have any pointers to best practices for this scenario?

dave myron
principal, technical director

contentfree
â?¡ 206.855.5580 phone | 206.774.2767 fax
â? removed_email_address@domain.invalid
â?? 337 1st ave ne. suite 100, issaquah, wa 98027


#2

You can do something like:

class MyService < ActionWebService::Base
def initialize(controller)
@controller = controller
end

def remote_method
@controller.session[:key]
end
end

class MyServiceController < ActionController::Base
web_service(:remote) { MyService.new(self) }
end

Note, in order to use sessions from the controller, you soap client
must mainain and send cookies along with all requests. Otherwise with
every request a new session will be created.

Pesonaly I’d pass username/password with every request.


Kent


#3

I tried exactly what you had suggested but I think that your final
suggestion is what I’m going to be doing. Thanks,

Dave

PS. I did notice that wss4r was released recently. I might look into
that in
the future too.

===================================

Pesonaly I’d pass username/password with every request.


Kent