I am a contributor to the Apache XML-RPC project, which is a Java library for XML-RPC server and client. Members of our list have mentioned this requirement and have looked for ways to accomplish it with interoperability in mind.
The solution you propose seems proprietary and not designed for interop. Have you considered any proposals by the XML-Signature Working Group at http://www.w3.org/Signature/ or the XML-Encryption Working Group at http://www.w3.org/Encryption/2001/ ?
Basically, it might be a good idea to design these solutions with interop in mind from the beginning. I must confess that our project has not produced any code with digital signatures or encryption integrated, but there is an independent interceptors patch that has allowed at least one developer to buiild in his own proprietary encryption code for use with Kerberos.
I monitor this list and would be interested in more discussion in this area.
Miles Lott wrote:
I'm attempting to add key signing to your xmlrpc library (I'll feedIn phpgroupware/groupwhere, a login function is called first. This
changes back upstream once I'm done). Once an xmlrpcmsg is about to be
sent, it is serialized, a private key is used to generate a signature of
the serialized data, and both are sent to the xmlrpc server. The server
uses the client's public key to verify that the msg came from the actual
client; if verification is sucessful, decode the xmlrpcmsg as normal.
generates a sessionid and key as with their normal browser login. The
sessionid/key are then sent in Authorization: Basic header to verify
subsequent requests. Lastly, a logout packet is sent to clear the user
session. Public/private keys would be cool, though. I had not done
much in that implementation to encrypt subsequent requests...
My hang-up is how to send the payload signature. The way I'd prefer to do itI am not absolutely certain, but in my simple tests trying to write a
is a simple form variable; the XMLRPC spec states that the xmlrpc
message is the body of a HTTP-POST request, so I figure that leaves
HTTP-GET available for (ab)use. I'd like to do this in a manner that
works with other xmlrpc implementations (if not supporting the
verification, silently ignoring the signature).
php-based daemon for xml-rpc I found that GET or POST requests send the
entire set of values on one line. The difference being the first line
of the request specifying GET or POST. In this library at least, the
variable HTTP_RAW_POST_DATA is used to decode the entire request. This
is most likely because PHP does not know what to do with a POST or GET
that is multiline as with XML-RPC. In other words, I think you could
still use POST. iirc, it looks something like this:
POST /RPC2 HTTP/1.0
User-Agent: Frontier/5.1.2 (WinNT)
Have you heard of any other implementations that allow this, or similar
workarounds (perhaps passing the signature elsewhere)? Do you have any
This could be sent in an Authorization: Basic header so long as the server knows how to decode it. I wrote this into phpgroupware and now groupwhere's implementation of its XML-RPC server since I did not find any other way. Your work would be very welcome if it first does not break other implementations (of course).
_______________________________________________ phpxmlrpc mailing list [EMAIL PROTECTED] http://lists.usefulinc.com/cgi-bin/mailman/listinfo/phpxmlrpc