I am new to REST web services in Rails, but I do have a strong SOAP
background. I’d like someone to explain the various security
mechanisms used in REST web services (authentication and
authorization). I doubt there is something like WS-* for REST.
Specifically, if I choose HTTP Basic auth vs. some token-based
approach (either custom HTTP header or XML message element), what are
my options? I guess this is analogous to TLS vs. Message security in
You are right. As-is there is no predefined scheme for doing REST-based
security like the WS-* range does. An open standard for doing identity
and security management is something that REST lacks, as far as I know.
As for authentication: HTTP authentication using restful_authentication
works great. Next comes authorization. There’s a lot of good plugins out
there handling role-based authorization.
What you need to think about while doing RESTful development is how to
handle identities over requests. If you’re able to maintain a session
over subsequent requests from the callers side, then that’d probably be
the easiest. If the RESTful Rails app can determine the role of a caller
and derive it’s access rights, then you can just serve up the accessible
Other options include tried-and-true schemes like challenge/response
systems and certificate-based payload encryption. It’s all possible,
it’s just that there’s no established standard.
I am also curious how to suppress or whitelist/blacklist certain
attributes from being serialized as XML responses. For example, I
don’t think sending back foreign keys by default is a good idea. It
looks to me that the model objects are just blindly serialized as XML.
I’d like to be educated here.
The to_xml methods can do this by default. If you need more complex XML
renderings then you can create your own XML view builders.
Roderick van Domburg