Savon vs. Handsoap: Authentication

This documentation is deprecated, please have a look at “”:!

p. The libraries provide support for multiple authentication protocols. While Handsoap’s authentication support is more low level, Savon provides an API for that task.

h2. WSSE authentication

p. As you might expect, the Handsoap way for this aspect is to implement a callback method for the document creation. Using Savon you can attach your credentials on a WSSE object inside your request block. Compare the two implementations:

def on_create_document(doc)
  doc.alias 's', "http://docs...xsd"
  header = doc.find("Header")
  header.add "s:Security" do |s|
    s.set_attr "env:mustUnderstand", "0"
    s.add "s:Username", @@username
response = client.get_bank do |soap, wsse|
  wsse.username = @@username

h2. HTTP authentication

p. The same approach is used by Handsoap to offer HTTP authentication:

def on_after_create_http_request(http_request)
  http_request.set_auth @@username, @@password

p. Savon provides support for this feature “just yet”: (since 0.7.0):

client.request.basic_auth "username", "password"

h2. SSL support

p. At the time of writing only Savon supports SSL authentication directly. This is achieved by passing a configuration hash to the Savon::Client:

client = "some_wsdl"
  :cert =>"client_cert.pem")),
  :key =>"client_key.pem"), "password if one exists"),
  :ca_file => "cacert.pem",
  :verify_mode => OpenSSL::SSL::VERIFY_PEER

p. While the “Handsoap documentation”: states that support for SSL is not yet implemented, there might be a chance to enable it through the use of the preconfigured http driver.

2 thoughts on “Savon vs. Handsoap: Authentication

  1. Pingback: Savon Handsoap Shootout | #nofail

  2. Pete

    Note that this example is not valid:

    client.request.basic_auth “username”, “password”

    It results in the error Savon::Client#request requires at least one argument (ArgumentError)

    You should do this for Savon’s http authentication:

    client = Savon.client("") do
        http.auth.basic "user", "password"

    I found the fix and posted the answer on stackoverflow:

Comments are closed.