Rahul Thakur wrote:

Sounds good! Pointers would be great, if you have it handy :-)

If you're using the servlet way (which I'd recommend) you should be able to use Redback as a filter for that URL. Way easier that my hack.

--
Trygve


TIA,
Rahul

----- Original Message ----- From: "Trygve Laugstøl" <[EMAIL PROTECTED]>
To: <continuum-dev@maven.apache.org>
Sent: Saturday, April 28, 2007 12:14 AM
Subject: Re: XML RPC security


Rahul Thakur wrote:
Hey guys,

Some quick notes on the security for XML RPC interface. This is what I am thinking...

Have an AuthenticatedXmlRpcService component that services the xml rpc requests. The first request from a client to the service is a request for authentication. A successful authentication returns an authentication Token, which is passed along with subsequent requests by the client. A Token can go stale (configurable time period?) if there were not requests detected for it. Also, we could have a service that answers any polling requests and keeps a Token 'alive'.

How about using HTTP and Redback for security? We can make the XML-RPC server listen on localhost:8000 only and then make a servlet that is proxying to localhost:8000/xml-rpc.

The proxying servlet should come after a Redback security filter. I made a servlet like that once acting as a facade for a Subversion repository which I think I added to Plexus (aka the kitchen sink), if not I can dig it up for you.

--
Trygve


Reply via email to