xmlrpc authentication

Hi all,

  what is the recommended way to do user authentication for
xmlrpc ruby on rails webservices?


Use http authentication. Put this into lib/http_authentication.rb:

# From http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticateWithHTTP with a few
# minor fixes.

module HttpAuthentication


  def http_authenticate(realm=@request.host + ' Web Password', errormessage="Couldn't authenticate you")
    username, passwd = get_http_authentication_data
    # Check authorization
    unless username
      send_http_authentication_response(realm, errormessage) and return
    user = User.authenticate(username, passwd)
    unless user && user.isremote?
      logger.info("sending auth response");
      send_http_authentication_response(realm, errormessage) and return
    # No session, so make this a class variable
    @user = user


  def send_http_authentication_response(realm, errormessage)
    response.headers["Status"] = "Unauthorized"
    response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
    render :text => errormessage, :status => 401

  def get_http_authentication_data
    user, pass = '', ''
    # extract authorisation credentials
    if request.env.has_key? 'X-HTTP_AUTHORIZATION'
      # try to get it where mod_rewrite might have put it
      authdata = request.env['X-HTTP_AUTHORIZATION'].to_s.split
    elsif request.env.has_key? 'Authorization'
      # for Apace/mod_fastcgi with -pass-header Authorization
      authdata = request.env['Authorization'].to_s.split
    elsif request.env.has_key? 'HTTP_AUTHORIZATION'
      # this is the regular location
      authdata = request.env['HTTP_AUTHORIZATION'].to_s.split
    elsif request.env.has_key? 'Authorization'
      # this is the regular location, for Apache 2
      authdata = @request.env['Authorization'].to_s.split

    # at the moment we only support basic authentication
    if authdata and authdata[0] == 'Basic'
      user, pass = Base64.decode64(authdata[1]).split(':')[0..1]
    return [user, pass]


Then in the controller for your web service:

require_dependency "http_authentication"

class RemoteController < ApplicationController
  include HttpAuthentication
  wsdl_service_name 'Remote'
  web_service_api 'Remote'
  before_filter :http_authenticate
  session :off

The only thing you probably need to worry about is the
"user = User.authenticate..." part in the http_authenticate method. I
use my regular user table, but with a type of "Remote". Then only
those remote users may be used to get to web services, and non-remote
users may not be used.