Hi Igor,I would just like to point out that some of these things break the spec and could hinder interop. AFAIK, HTTPS is standard, and widely supported. Compression, on the other hand, violates the spec, but should be no problem if you control the client and server; there has been discussion about that on this list fairly recently.
Igor Lev wrote:
Hi Everyone, I've been trying to go through the mail archives and generally google this topic but I haven't been able to find any definite answers. Basically my question is regarding authentication and encryption for xml-rpc. I had a lightweight method to authorize users and encrypt traffic in mind, something simple, with a shared secret(password), and a handshake procedure to exchange a session id for further encryption of the transfers. This would probably require a modification the http server in order to encrypt/decrypt the xml payload before its parsed, since I don't want the actual method calls flying around in plaintext. It seems like such a natural question that I was wondering whether anything like this has been discused before and I just couldn't find it in the archives(most likely), or is SSL the only "good" way to go for xml-rpc authentication and encryption. Any info would be greatly appreciated.
xml-rpc relys just on the HTTP-layer for authentication and encryption. Even compression fits into that model. With apache, mod_gzip and mod_ssl are your friend for example. Other frameworks had this built in. I remember someone built HTTP-auth directly into the Java libs for xmlrpc; this should be in the archives. If not it should be simple to patch in.
Regards Tino Wildenhain
If you read through the archives, you will probably come across several threads in which I discussed authentication at length. Your first decision is whether to do authentication in band or out-of-band; I might suggest that in many cases in-band authentication is a good solution. Problems arise when you want to do authorization based on transport information such as IP address and port. Having said that, many libraries out there support HTTP authentication and work a treat.
Good luck!
-- Ryan Hoegg ISIS Networks http://www.isisnetworks.net/
