RESTful request to Rails app using curl ignores AuthenticityToken

Is there any reason that AuthenticityToken would be ignored when executing a REST HTTP request using curl?

curl http://localhost:3000/Asset/9f3cb180-e410-11de-8a39-0800200c9a66.xml -X DELETE

The above will execute remove an Asset of the given ID from the database with no regards to what the AuthenticityToken is (usually nil).

class AssetsController < ApplicationController
    protect_from_forgery :only => [:create, :update, :destroy]
    #... More Rails Controller Code
    def destroy
      #destroy the Asset
    end

^This is how the Assets controller read, clearly defining that destroy should be protected.

I have trie开发者_Python百科d sending delete requests vial Net::HTTP but they get rejected since they do not supply an AuthenticityToken. So, any idea why curl always seems to be successful at executing these HTTP requests?

Rails doesn't perform forgery protection for .xml requests: "...only non-GET, HTML/JavaScript requests are checked." http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html

Maybe you need something like what's described here? http://www.hyperionreactor.net/blog/token-based-authentication-rails-3-and-rails-2