Web services and dealing with before_filter


#1

Hi all,

I’ve got a Rails app with a ApplicationController that looks like this:

class ApplicationController < ActionController::Base
before_filter :authorize, :except => :login

def authorize
   unless session[:user]
      flash[:notice] = "Please log in"
      session[:jumpto] = request.parameters
      redirect_to :controller => "login", :action => "login"
   end
end

end

So, basically, redirect a user to the login screen if they haven’t
already
logged in. Pretty standard stuff.

But, if I want to setup a web service, how do I set session data from
the
client side through, say, an xmlrpc call using layered dispatching?
I’ve tried
messing around with the block form of the web_service, and even tried
setting
up a LoginApi and LoginService, but no luck.

I’d like to be able to do this:

require ‘xmlprc/client’

rpc = XMLRPC::Client.new(‘localhost’, ‘http://localhost/webservice/api’,
3000)
rpc.call(‘login.login’, user, password) # Set session data here
rpc.call(‘foo.findFooById’, 2) # Go on my merry way

I googled around a bit and couldn’t quite find the answer I was looking
for.
That, or I’m just not “getting it”.

What’s the best/proper way to handle this?

Thanks,

Dan


#2

Hi Daniel,
In my web services I just ignore the authorization, but Im on an
internal app. I think what an app I worked on before ( not rails ) did
was something like:

def ws_auth( user, pword)
# auth the user

# create an entry in the db, and return some sort of unique key

end

def web_service_method( auth_key , … )

if the auth_key doesnt exist in the db, ignore this request

end

then your client does:

auth_key = rpc.call(‘login.login’, user, password) # Set session data
here
rpc.call(‘foo.findFooById’,auth_key , 2) # Go on my merry way

not perfect, but might do for you

Paul

Daniel B. wrote:

Hi all,

I’ve got a Rails app with a ApplicationController that looks like this:

class ApplicationController < ActionController::Base
before_filter :authorize, :except => :login

def authorize
   unless session[:user]
      flash[:notice] = "Please log in"
      session[:jumpto] = request.parameters
      redirect_to :controller => "login", :action => "login"
   end
end

end

So, basically, redirect a user to the login screen if they haven’t
already
logged in. Pretty standard stuff.

But, if I want to setup a web service, how do I set session data from
the
client side through, say, an xmlrpc call using layered dispatching?
I’ve tried
messing around with the block form of the web_service, and even tried
setting
up a LoginApi and LoginService, but no luck.

I’d like to be able to do this:

require ‘xmlprc/client’

rpc = XMLRPC::Client.new(‘localhost’, ‘http://localhost/webservice/api’,
3000)
rpc.call(‘login.login’, user, password) # Set session data here
rpc.call(‘foo.findFooById’, 2) # Go on my merry way

I googled around a bit and couldn’t quite find the answer I was looking
for.
That, or I’m just not “getting it”.

What’s the best/proper way to handle this?

Thanks,

Dan


#3

What I did was to include in the authorization in the web service. I
have a method like User.authenticate?(user) which returns true or false.
This is used by my authentication filter as u have done. Every time
someone sends in a request they must include the username/password in
the request, which is then used to check if he is valid or not.

For higher security you can either run it through https (haven’t tried
this), encode it in base64, encrypt it using some private key algo, or
use WSS4R.

This method is probably not high-performing, alternatively you can use a
token mechanism to check if he is a valid user (instead of checking
everytime, return a token) , but if your requests are low volume it
should be ok.

Hope this helped.

Daniel B. wrote:

     session[:jumpto] = request.parameters

dispatching? I’ve tried messing around with the block form of the
rpc.call(‘foo.findFooById’, 2) # Go on my merry way
Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


Sau S.


http://read.saush.com
http://jaccal.sourceforge.net