For the part about securing yourn API methods, pretty much any of the
authorization plugins and engines out there can do this. You simply put
a check for authorization on the controllers or individual methods or
calls you want to protect. That’s what they were written for.
However, many of the existing schemes, like LoginEngine/UserEngine do
the logins through web forms. You may need one that does server auth or
will accept user credentials as part of the request. I’m sure some of
the other current ones already do this, or you could always look at the
code in Bruce P.'s unfortunately abandoned ModelSecurity generator,
which IIRC does server auth and can fall back to a webform.
It might just be easier to write your own authorization method, put it
in application.rb or application_helper.rb, and apply it as a
before_filter in the relevant controllers. Google’s API, for instance,
simply seems to check a non-secret key against the IP address of the
host calling it, since they issue API accounts on a per-server basis.
Your needs may be different.
Manish S. wrote:
I want to setup an api for my web app, but i had a few question on the
way to do this. I was hoping for some input from you experienced
individuals and rails rock stars.
- Is there a way to implement a login in feature so that api methods
be called without proper authorization? This is so i can log activity
use of the api from different people and so