Forum: Ruby on Rails web services and dealing with before_filter

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
F3b7b8756d0c7f71cc7460cc33aefaee?d=identicon&s=25 Daniel Berger (Guest)
on 2006-04-21 23:45
(Received via mailing list)
Hi all,

I've got a Rails app with a ApplicationController that looks like this:

class ApplicationController < ActionController::Base
    before_filter :authorize, :except => :login

    def authorize
       unless session[:user]
          flash[:notice] = "Please log in"
          session[:jumpto] = request.parameters
          redirect_to :controller => "login", :action => "login"
       end
    end
end

So, basically, redirect a user to the login screen if they haven't
already
logged in.  Pretty standard stuff.

But, if I want to setup a web service, how do I set session data from
the
client side through, say, an xmlrpc call using layered dispatching?
I've tried
messing around with the block form of the web_service, and even tried
setting
up a LoginApi and LoginService, but no luck.

I'd like to be able to do this:

require 'xmlprc/client'

rpc = XMLRPC::Client.new('localhost', 'http://localhost/webservice/api',
3000)
rpc.call('login.login', user, password) # Set session data here
rpc.call('foo.findFooById', 2) # Go on my merry way

I googled around a bit and couldn't quite find the answer I was looking
for.
That, or I'm just not "getting it".

What's the best/proper way to handle this?

Thanks,

Dan
D9e2373e02d17a49738e5af1de5d2434?d=identicon&s=25 Paul (Guest)
on 2006-04-22 02:52
Hi Daniel,
In my web services I just ignore the authorization, but Im on an
internal app. I think what an app I worked on before ( not rails ) did
was something like:

def ws_auth( user, pword)
    # auth the user

    # create an entry in the db, and return some sort of unique key
end

def web_service_method( auth_key , ...... )
   # if the auth_key doesnt exist in the db, ignore this request

end

then your client does:

auth_key = rpc.call('login.login', user, password) # Set session data
here
rpc.call('foo.findFooById',auth_key ,  2) # Go on my merry way

not perfect, but might do for you

Paul




Daniel Berger wrote:
> Hi all,
>
> I've got a Rails app with a ApplicationController that looks like this:
>
> class ApplicationController < ActionController::Base
>     before_filter :authorize, :except => :login
>
>     def authorize
>        unless session[:user]
>           flash[:notice] = "Please log in"
>           session[:jumpto] = request.parameters
>           redirect_to :controller => "login", :action => "login"
>        end
>     end
> end
>
> So, basically, redirect a user to the login screen if they haven't
> already
> logged in.  Pretty standard stuff.
>
> But, if I want to setup a web service, how do I set session data from
> the
> client side through, say, an xmlrpc call using layered dispatching?
> I've tried
> messing around with the block form of the web_service, and even tried
> setting
> up a LoginApi and LoginService, but no luck.
>
> I'd like to be able to do this:
>
> require 'xmlprc/client'
>
> rpc = XMLRPC::Client.new('localhost', 'http://localhost/webservice/api',
> 3000)
> rpc.call('login.login', user, password) # Set session data here
> rpc.call('foo.findFooById', 2) # Go on my merry way
>
> I googled around a bit and couldn't quite find the answer I was looking
> for.
> That, or I'm just not "getting it".
>
> What's the best/proper way to handle this?
>
> Thanks,
>
> Dan
D2a5b7975f49e051c1de10f98ea81f63?d=identicon&s=25 Chang Sau Sheong (Guest)
on 2006-04-22 03:22
(Received via mailing list)
What I did was to include in the authorization in the web service. I
have a method like User.authenticate?(user) which returns true or false.
This is used by my authentication filter as u have done. Every time
someone sends in a request they must include the username/password in
the request, which is then used to check if he is valid or not.

For higher security you can either run it through https (haven't tried
this), encode it in base64, encrypt it using some private key algo, or
use WSS4R.

This method is probably not high-performing, alternatively you can use a
token mechanism to check if he is a valid user (instead of checking
everytime, return a token) , but if your requests are low volume it
should be ok.

Hope this helped.

Daniel Berger wrote:
>          session[:jumpto] = request.parameters
> dispatching?  I've tried messing around with the block form of the
> rpc.call('foo.findFooById', 2) # Go on my merry way
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


--
Sau Sheong

http://blog.saush.com
http://read.saush.com
http://jaccal.sourceforge.net
This topic is locked and can not be replied to.