Hi Jereon,
On 14/02/07, Jeroen Vriesman <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> does anyone know here an example how to make the rpc (I started with the
> perl rpc example) secure?
>
> Something simple with user/password over an ssl connection.
I'm not sure how much help you need, but here are a few pointers and
code snippets of what I've done.
What I've got in the client is a routine such as this:
qx.Proto._validatePassword = function(username, password)
{
var rpc = new qx.io.remote.Rpc(server_url, "namespace.user");
var result = 0;
try
{
result = rpc.callSync('validate', username, password);
}
catch (ex)
{
alert("Login exception: " + ex);
}
return result;
}
I have a service called (for example) namespace.operator which has the
user-related methods, so I invoke a validate method on it.
On the server I have:
package Qooxdoo::Services::namespace.user
use strict;
use Qooxdoo::JSONRPC;
sub method_validate
{
my $error = shift;
my @params = @_;
my ($username, $password) = @params;
print STDERR "Authenticate $username $password\n";
### VALIDATE USER
return $validated;
}
As will all web applications, but more so with AJAX ones, you need to
protect all important services against unauthorized access, so you
really need to check if the user has logged in on each call.
A few ways of doing this are:
* Have the browser retain the login credentials, and resubmit them
to subsequent call
* Start a 'session', by issuing a cookie which is used to track
the user across pages
The CGi::Session module is already used, so this can be used to track
a logged in user. However, there's a small tweak to JSONRPC.pm
required to make this easier which I will submit if you wish to go
down this route.
There are a few ways to check that the user is using https:// rather
than http:// addresses, either in the client or the server. I normally
just add
SSLRequireSSL
to my apache configuration to prevent any use of unencrypted HTTP.
Nick
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
qooxdoo-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
