Web services and security


#1

Hi all,

How do folks generally secure their Rails web services? A password in a
config
file? A ‘webservice’ user in a ‘Users’ table with its own password?
LDAP
authentication for every method? Only authenticate on the “important”
methods?
Something else I’m not thinking of?

I’d like to be secure, yet practical, for the sake of current and future
developers.

What approach do Rails folks generally take?

Thanks,

Dan


#2

Daniel B. wrote:

Hi all,

How do folks generally secure their Rails web services? A password in a
config
file? A ‘webservice’ user in a ‘Users’ table with its own password?
LDAP
authentication for every method? Only authenticate on the “important”
methods?
Something else I’m not thinking of?

I’d like to be secure, yet practical, for the sake of current and future
developers.

What approach do Rails folks generally take?

Thanks,

Dan

I would be interested in this as well. In our case, only pre-authorized
users can access our service, so they must transmit a pre-determined
identified with the request. If the id does not match a known id (in our
database) the call is rejected (using before_invocation)

Keith


#3

On 4/11/06, Daniel B. removed_email_address@domain.invalid wrote:

What approach do Rails folks generally take?
You can utilize https protocol and pass user name and password with
every method. Or you can try to use wss4r. It depends on whichever
solution best fits your needs.


Kent

http://www.datanoise.com


#4

I use a simple method – I send up the username/password and use the
same authentication as the web app, every time. It’s not terribly
secured though, but my app is not a highly secured anyway. Just to
prevent a user to accidentally adding or erasing another user’s data.

I’m looking at WSS4R, looks promising just gotten it to work today.

Keith L. wrote:

Something else I’m not thinking of?

I would be interested in this as well. In our case, only pre-authorized
users can access our service, so they must transmit a pre-determined
identified with the request. If the id does not match a known id (in our
database) the call is rejected (using before_invocation)

Keith


Sau S.


http://read.saush.com
http://jaccal.sourceforge.net