ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Lev <>
Subject Re: xml-rpc authentication and encryption
Date Fri, 13 Feb 2004 18:32:34 GMT

On Fri, 2004-02-13 at 12:13, Ryan Hoegg wrote:
> Tino Wildenhain wrote:


First of all thanks for the answers, Tino and Ryan. And my apologies in
advance for replying to two posts in one email.

> >
> >
> > xml-rpc relys just on the HTTP-layer for authentication and encryption.
> > Even compression fits into that model. With apache, mod_gzip and
> > mod_ssl are your friend for example.

Unfortunately, the applications in which I'm using xml-rpc have to be
almost completely standalone. So no apache, no tomcat and not even mysql

>  Other frameworks had this built
> > in. I remember someone built HTTP-auth directly into the Java
> > libs for xmlrpc; this should be in the archives. If not it should
> > be simple to patch in.
> >
 Would you happen to recall whether the HTTP-auth that was built-in, was
Basic or digest? I've seem to have found a patch that was on the
mail-list around January 2003 but that seems to just have some
improvements for handling basic auth. 

> > Regards
> > Tino Wildenhain
> >
> I would just like to point out that some of these things break the spec 
> and could hinder interop.  AFAIK, HTTPS is standard, and widely 
> supported.  Compression, on the other hand, violates the spec, but 
> should be no problem if you control the client and server; there has 
> been discussion about that on this list fairly recently.
I would have to agree that, if doable, I would like to keep to the spec
as much as possible. 

> If you read through the archives, you will probably come across several 
> threads in which I discussed authentication at length.  Your first 
> decision is whether to do authentication in band or out-of-band; I might 
> suggest that in many cases in-band authentication is a good solution.  
> Problems arise when you want to do authorization based on transport 
> information such as IP address and port. 

I think at this point I'm going to be leaning towards separating
transport and application security, letting ssl encrypt the transport if
need be and having a separate authentication scheme inside the xml-rpc
requests. While originally, I was hoping to get access to the ip
address, I agree with you with regard to separating transport and
application security. I think it would be entirely possible  to use a
relatively secure authentication scheme without the need for knowing the
ip address or other similar information. 

>  Having said that, many 
> libraries out there support HTTP authentication and work a treat.
> Good luck!

Again, thanks a lot for everyone's help. 

Igor Lev <>

View raw message