Can this same authentication method (based on the salted hash login
generator) be used to authenticate web service access? Or, should
other authentication method be used? i.e. each user must retrieve an
authentication token manually before setting something up to use web
services. It seems this is how many online services work, right? Why
is this preferred? How often should the user reset this
Yes, you can definitely apply many of the principles on which the
salted login generator is based. After the user is logged in, your
application can provide a session token that is valid for a certain
amount of time. Every time it is used, you can reauthorize it for an
additional renewal duration. You’ll want to tie the session key to
the account in some way; I would also recommend the machine, but HTTP
proxies make using the IP address of the remote host impractical.
As I re-read this message, I realize this has less to do with Rails.
Does anyone have any pointers to good WS resources?
WS-Security is the established standard for this sort of thing. It’s
fairly complex, but a lot of client APIs already support it out of
The OASIS standards are available at:
They’re broken into username and password authentication, SOAP
message security, and the use of standard X.509 authentication over
Unfortunately, I don’t think supporting any of this from inside
ActiveWebService is even possible, but maybe that’s an area in which
we can push for some progress (with enough encouragement from other