Maybe, but I can't find it.
Emmanuel
Rahul Thakur a écrit :
I thought there was something similar to this that exists in Redback?
Rahul
----- Original Message ----- From: "Emmanuel Venisse"
<[EMAIL PROTECTED]>
To: <continuum-dev@maven.apache.org>
Sent: Saturday, April 28, 2007 12:37 AM
Subject: Re: XML RPC security
I think it's best solution. With a token, we don't have login/password
over the network for each request.
XmlRpcService
String login( username, password ) //return a token
{
tokenManager.login( username, password );
}
Object method1( token, params ) //null token for guest user or a
getGuestToken() method that will return it
{
User user = tokenManager.getUser( token );
...
}
Object method2( token, params )
{
...
}
TokenManager
String login( username, password ); //return a token
User getUser( token )
The TokenManager can be a plexus component with a default
implementation for redback.
wdyt?
Emmanuel
Emmanuel Venisse a écrit :
Hey guys,
Some quick notes on the security for XML RPC interface. This is what I
am thinking...
Have an AuthenticatedXmlRpcService component that services the xml rpc
requests. The first request from a client to the service is a request
for authentication. A successful authentication returns an
authentication Token, which is passed along with subsequent requests by
the client. A Token can go stale (configurable time period?) if there
were not requests detected for it. Also, we could have a service that
answers any polling requests and keeps a Token 'alive'.
Thoughts?
Rahul
