ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Hoegg <>
Subject Re: xml-rpc authentication and encryption
Date Fri, 13 Feb 2004 17:13:25 GMT
Tino Wildenhain wrote:

> Hi Igor,
> Igor Lev wrote:
>> Hi Everyone,
>> I've been trying to go through the mail archives and generally google
>> this topic but I haven't been able to find any definite answers.
>> Basically my question is regarding authentication and encryption for
>> xml-rpc. I had a lightweight method to authorize users and encrypt
>> traffic in mind, something simple, with a shared secret(password), and a
>> handshake procedure to exchange a session id for further encryption of
>> the transfers. This would probably require a modification the http
>> server in order to encrypt/decrypt the xml payload before its parsed,
>> since I don't want the actual method calls flying around in plaintext.
>> It seems like such a natural question that I was wondering whether
>> anything like this has been discused before and I just couldn't find it
>> in the archives(most likely), or is SSL the only "good" way to go for
>> xml-rpc authentication and encryption.
>> Any info would be greatly appreciated.
> xml-rpc relys just on the HTTP-layer for authentication and encryption.
> Even compression fits into that model. With apache, mod_gzip and
> mod_ssl are your friend for example. Other frameworks had this built
> in. I remember someone built HTTP-auth directly into the Java
> libs for xmlrpc; this should be in the archives. If not it should
> be simple to patch in.
> Regards
> Tino Wildenhain
I would just like to point out that some of these things break the spec 
and could hinder interop.  AFAIK, HTTPS is standard, and widely 
supported.  Compression, on the other hand, violates the spec, but 
should be no problem if you control the client and server; there has 
been discussion about that on this list fairly recently.

If you read through the archives, you will probably come across several 
threads in which I discussed authentication at length.  Your first 
decision is whether to do authentication in band or out-of-band; I might 
suggest that in many cases in-band authentication is a good solution.  
Problems arise when you want to do authorization based on transport 
information such as IP address and port.  Having said that, many 
libraries out there support HTTP authentication and work a treat.

Good luck!

Ryan Hoegg
ISIS Networks

View raw message