Forum: Ruby on Rails Web services and security

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
F3b7b8756d0c7f71cc7460cc33aefaee?d=identicon&s=25 Daniel Berger (Guest)
on 2006-04-11 17:14
(Received via mailing list)
Hi all,

How do folks generally secure their Rails web services?  A password in a
config
file?  A 'webservice' user in a 'Users' table with its own password?
LDAP
authentication for every method?  Only authenticate on the "important"
methods?
  Something else I'm not thinking of?

I'd like to be secure, yet practical, for the sake of current and future
developers.

What approach do Rails folks generally take?

Thanks,

Dan
D4e51fd9554030ab55c379fdc1a34826?d=identicon&s=25 Keith Lancaster (klancaster)
on 2006-04-11 17:24
Daniel Berger wrote:
> Hi all,
>
> How do folks generally secure their Rails web services?  A password in a
> config
> file?  A 'webservice' user in a 'Users' table with its own password?
> LDAP
> authentication for every method?  Only authenticate on the "important"
> methods?
>   Something else I'm not thinking of?
>
> I'd like to be secure, yet practical, for the sake of current and future
> developers.
>
> What approach do Rails folks generally take?
>
> Thanks,
>
> Dan

I would be interested in this as well. In our case, only pre-authorized
users can access our service, so they must transmit a pre-determined
identified with the request. If the id does not match a known id (in our
database) the call is rejected (using before_invocation)

Keith
3ccecc71b9fb0a3d7f00a0bef6f0a63a?d=identicon&s=25 Kent Sibilev (Guest)
on 2006-04-11 17:59
(Received via mailing list)
On 4/11/06, Daniel Berger <Daniel.Berger@qwest.com> wrote:
> What approach do Rails folks generally take?
You can utilize https protocol and pass user name and password with
every method. Or you can try to use wss4r. It depends on whichever
solution best fits your needs.

--
Kent
---
http://www.datanoise.com
D2a5b7975f49e051c1de10f98ea81f63?d=identicon&s=25 Chang Sau Sheong (Guest)
on 2006-04-11 18:02
(Received via mailing list)
I use a simple method -- I send up the username/password and use the
same authentication as the web app, every time. It's not terribly
secured though, but my app is not a highly secured anyway. Just to
prevent a user to accidentally adding or erasing another user's data.

I'm looking at WSS4R, looks promising just gotten it to work today.

Keith Lancaster wrote:
>>   Something else I'm not thinking of?
>
> I would be interested in this as well. In our case, only pre-authorized
> users can access our service, so they must transmit a pre-determined
> identified with the request. If the id does not match a known id (in our
> database) the call is rejected (using before_invocation)
>
> Keith
>
>


--
Sau Sheong

http://blog.saush.com
http://read.saush.com
http://jaccal.sourceforge.net
This topic is locked and can not be replied to.