Authorization in Web Services

dalton edited this page Sep 13, 2010 · 5 revisions

If your web application provides a web service which returns XML responses then you will likely want to handle Authorization properly with a 403 response. You can do so by rendering an XML response when rescuing from the exception.

rescue_from CanCan::AccessDenied do |exception|
  respond_to do |format|
    format.html { redirect_to root_url }
    format.xml { render :xml => "...", :status => :forbidden }

Note: I'm not certain what XML is conventionally returned here, if someone wants to fill this out more that would be great.

Example from Amazon S3

HTTP/1.1 403 Forbidden
x-amz-request-id: E4CA6F6767D6685C
x-amz-id-2: BHzLOATeDuvN8Es1wI8IcERq4kl4dc2A9tOB8Yqr39Ys6fl7N4EJ8sjGiVvu6wLP
Content-Type: application/xml
Date: Wed, 20 Feb 2008 23:19:01 +0000
Connection: close
Server: AmazonS3

<?xml version="1.0" encoding="UTF-8"?>
   <Message>Access Denied</Message>