> I'm attempting to add key signing to your xmlrpc library (I'll feed > changes back upstream once I'm done). Once an xmlrpcmsg is about to be > sent, it is serialized, a private key is used to generate a signature of > the serialized data, and both are sent to the xmlrpc server. The server > uses the client's public key to verify that the msg came from the actual > client; if verification is sucessful, decode the xmlrpcmsg as normal.
In phpgroupware/groupwhere, a login function is called first. This generates a sessionid and key as with their normal browser login. The sessionid/key are then sent in Authorization: Basic header to verify subsequent requests. Lastly, a logout packet is sent to clear the user session. Public/private keys would be cool, though. I had not done much in that implementation to encrypt subsequent requests... > My hang-up is how to send the payload signature. The way I'd prefer to do it > is a simple form variable; the XMLRPC spec states that the xmlrpc > message is the body of a HTTP-POST request, so I figure that leaves > HTTP-GET available for (ab)use. I'd like to do this in a manner that > works with other xmlrpc implementations (if not supporting the > verification, silently ignoring the signature). I am not absolutely certain, but in my simple tests trying to write a php-based daemon for xml-rpc I found that GET or POST requests send the entire set of values on one line. The difference being the first line of the request specifying GET or POST. In this library at least, the variable HTTP_RAW_POST_DATA is used to decode the entire request. This is most likely because PHP does not know what to do with a POST or GET that is multiline as with XML-RPC. In other words, I think you could still use POST. iirc, it looks something like this: POST /RPC2 HTTP/1.0 User-Agent: Frontier/5.1.2 (WinNT) Host: betty.userland.com Content-Type: text/xml Content-length: XXX user=bob&password=secret <?xml version="1.0"?> <methodCall> <methodName>examples.getStateName</methodName> <params> <param> <value><i4>41</i4></value> </param> </params> </methodCall> > Have you heard of any other implementations that allow this, or similar > workarounds (perhaps passing the signature elsewhere)? Do you have any > suggestions? This could be sent in an Authorization: Basic header so long as the server knows how to decode it. I wrote this into phpgroupware and now groupwhere's implementation of its XML-RPC server since I did not find any other way. Your work would be very welcome if it first does not break other implementations (of course). -- Miles Lott GroupWhere http://groupwhere.org _______________________________________________ phpxmlrpc mailing list [EMAIL PROTECTED] http://lists.usefulinc.com/cgi-bin/mailman/listinfo/phpxmlrpc