Igor Lev wrote:
Hi Everyone,
I've been trying to go through the mail archives and generally google
this topic but I haven't been able to find any definite answers.
Basically my question is regarding authentication and encryption for
xml-rpc. I had a lightweight method to authorize users and encrypt
traffic in mind, something simple, with a shared secret(password), and a
handshake procedure to exchange a session id for further encryption of
the transfers. This would probably require a modification the http
server in order to encrypt/decrypt the xml payload before its parsed,
since I don't want the actual method calls flying around in plaintext.
It seems like such a natural question that I was wondering whether
anything like this has been discused before and I just couldn't find it
in the archives(most likely), or is SSL the only "good" way to go for
xml-rpc authentication and encryption.
Any info would be greatly appreciated.
xml-rpc relys just on the HTTP-layer for authentication and encryption. Even compression fits into that model. With apache, mod_gzip and mod_ssl are your friend for example. Other frameworks had this built in. I remember someone built HTTP-auth directly into the Java libs for xmlrpc; this should be in the archives. If not it should be simple to patch in.
Regards Tino Wildenhain
