On Fri, 2004-02-13 at 12:13, Ryan Hoegg wrote: > Tino Wildenhain wrote:
====================<snip>====================================== First of all thanks for the answers, Tino and Ryan. And my apologies in advance for replying to two posts in one email. > > > > > > xml-rpc relys just on the HTTP-layer for authentication and encryption. > > Even compression fits into that model. With apache, mod_gzip and > > mod_ssl are your friend for example. Unfortunately, the applications in which I'm using xml-rpc have to be almost completely standalone. So no apache, no tomcat and not even mysql :). > Other frameworks had this built > > in. I remember someone built HTTP-auth directly into the Java > > libs for xmlrpc; this should be in the archives. If not it should > > be simple to patch in. > > Would you happen to recall whether the HTTP-auth that was built-in, was Basic or digest? I've seem to have found a patch that was on the mail-list around January 2003 but that seems to just have some improvements for handling basic auth. > > Regards > > Tino Wildenhain > > > I would just like to point out that some of these things break the spec > and could hinder interop. AFAIK, HTTPS is standard, and widely > supported. Compression, on the other hand, violates the spec, but > should be no problem if you control the client and server; there has > been discussion about that on this list fairly recently. > I would have to agree that, if doable, I would like to keep to the spec as much as possible. > If you read through the archives, you will probably come across several > threads in which I discussed authentication at length. Your first > decision is whether to do authentication in band or out-of-band; I might > suggest that in many cases in-band authentication is a good solution. > Problems arise when you want to do authorization based on transport > information such as IP address and port. I think at this point I'm going to be leaning towards separating transport and application security, letting ssl encrypt the transport if need be and having a separate authentication scheme inside the xml-rpc requests. While originally, I was hoping to get access to the ip address, I agree with you with regard to separating transport and application security. I think it would be entirely possible to use a relatively secure authentication scheme without the need for knowing the ip address or other similar information. > Having said that, many > libraries out there support HTTP authentication and work a treat. > > Good luck! > Again, thanks a lot for everyone's help. -- Igor Lev <[EMAIL PROTECTED]>
