Forum: Ruby on Rails Authentication on delegated web service methods -or- How the

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
C595a34826f8222d5a2d981b1259fa5f?d=identicon&s=25 Dave Myron (Guest)
on 2006-03-01 00:35
(Received via mailing list)
I need to restrict access to only certain parts of a web service I'm
building.

Instead of requiring a client to submit their user/pass with each
interaction I'd like to login them in once (currently using
acts_as_authenticated in the rest of the site) and not have to fuss with
it again during that session. Only problem is I can't use AAA on an
ActionWebService descendant since it relies on methods only available to
ActionController (such as session).

I could make the API controller itself restricted with AAA but then I
have no control over api_methods restrictions - it's either all or
nothing, AFAICT.

Anybody have any pointers to best practices for this scenario?

dave myron
principal, technical director

contentfree
â?¡ 206.855.5580 phone | 206.774.2767 fax
â?  dave.myron@contentfree.com
â?? 337 1st ave ne. suite 100, issaquah, wa 98027
3ccecc71b9fb0a3d7f00a0bef6f0a63a?d=identicon&s=25 Kent Sibilev (Guest)
on 2006-03-01 01:04
(Received via mailing list)
You can do something like:

class MyService < ActionWebService::Base
   def initialize(controller)
      @controller = controller
   end

   def remote_method
        @controller.session[:key]
   end
end

class MyServiceController < ActionController::Base
    web_service(:remote) { MyService.new(self) }
end


Note, in order to use sessions from the controller, you soap client
must mainain and send cookies along with all requests. Otherwise with
every request a new session will be created.

Pesonaly I'd pass username/password with every request.

--
Kent
C595a34826f8222d5a2d981b1259fa5f?d=identicon&s=25 Dave Myron (Guest)
on 2006-03-01 07:20
(Received via mailing list)
I tried exactly what you had suggested but I think that your final
suggestion is what I'm going to be doing. Thanks,

Dave

PS. I did notice that wss4r was released recently. I might look into
that in
the future too.


===================================

Pesonaly I'd pass username/password with every request.

--
Kent
This topic is locked and can not be replied to.