RESTful request to Rails app using curl ignores AuthenticityToken

Question

Is there any reason that AuthenticityToken would be ignored when executing a REST HTTP request using curl?

curl http://localhost:3000/Asset/9f3cb180-e410-11de-8a39-0800200c9a66.xml -X DELETE

The above will execute remove an Asset of the given ID from the database with no regards to what the AuthenticityToken is (usually nil).

class AssetsController < ApplicationController
    protect_from_forgery :only => [:create, :update, :destroy]
    #... More Rails Controller Code
    def destroy
      #destroy the Asset
    end

^This is how the Assets controller read, clearly defining that destroy should be protected.

I have tried sending delete requests vial Net::HTTP but they get rejected since they do not supply an AuthenticityToken. So, any idea why curl always seems to be successful at executing these HTTP requests?

Answer 1

Rails doesn't perform forgery protection for .xml requests: "...only non-GET, HTML/JavaScript requests are checked." http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html

Maybe you need something like what's described here? http://www.hyperionreactor.net/blog/token-based-authentication-rails-3-and-rails-2