On Fri, 2004-02-13 at 12:13, Ryan Hoegg wrote:
> Tino Wildenhain wrote:
====================<snip>======================================
First of all thanks for the answers, Tino and Ryan. And my apologies in
advance for replying to two posts in one email.
> >
> >
> > xml-rpc relys just on the HTTP-layer for authentication and encryption.
> > Even compression fits into that model. With apache, mod_gzip and
> > mod_ssl are your friend for example.
Unfortunately, the applications in which I'm using xml-rpc have to be
almost completely standalone. So no apache, no tomcat and not even mysql
:).
> Other frameworks had this built
> > in. I remember someone built HTTP-auth directly into the Java
> > libs for xmlrpc; this should be in the archives. If not it should
> > be simple to patch in.
> >
Would you happen to recall whether the HTTP-auth that was built-in, was
Basic or digest? I've seem to have found a patch that was on the
mail-list around January 2003 but that seems to just have some
improvements for handling basic auth.
> > Regards
> > Tino Wildenhain
> >
> I would just like to point out that some of these things break the spec
> and could hinder interop. AFAIK, HTTPS is standard, and widely
> supported. Compression, on the other hand, violates the spec, but
> should be no problem if you control the client and server; there has
> been discussion about that on this list fairly recently.
>
I would have to agree that, if doable, I would like to keep to the spec
as much as possible.
> If you read through the archives, you will probably come across several
> threads in which I discussed authentication at length. Your first
> decision is whether to do authentication in band or out-of-band; I might
> suggest that in many cases in-band authentication is a good solution.
> Problems arise when you want to do authorization based on transport
> information such as IP address and port.
I think at this point I'm going to be leaning towards separating
transport and application security, letting ssl encrypt the transport if
need be and having a separate authentication scheme inside the xml-rpc
requests. While originally, I was hoping to get access to the ip
address, I agree with you with regard to separating transport and
application security. I think it would be entirely possible to use a
relatively secure authentication scheme without the need for knowing the
ip address or other similar information.
> Having said that, many
> libraries out there support HTTP authentication and work a treat.
>
> Good luck!
>
Again, thanks a lot for everyone's help.
--
Igor Lev <hyperf@earthlink.net>
|