Re: XML RPC security

Mon, 30 Apr 2007 07:11:12 -0700 

I am hoping to get a couple of authn and authz web services running in
redback this week, once I finish up the role profile refactor and
clean up, I want to wack out a webservice and then start getting
continuum integrated to using the new redback setup.

sounds like that would work perfectly for this xml-rpc stuff in continuum.

rahul, planning on using xfire until the apache CXF stuff gets it
first release out of the incubator...that sound good?

jesse

On 4/30/07, Emmanuel Venisse <[EMAIL PROTECTED]> wrote:

Maybe, but I can't find it.

Emmanuel

Rahul Thakur a écrit :
> I thought there was something similar to this that exists in Redback?
>
> Rahul
>
> ----- Original Message ----- From: "Emmanuel Venisse"
> <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, April 28, 2007 12:37 AM
> Subject: Re: XML RPC security
>
>
>> I think it's best solution. With a token, we don't have login/password
>> over the network for each request.
>>
>> XmlRpcService
>>   String login( username, password ) //return a token
>>   {
>>       tokenManager.login( username, password );
>>   }
>>
>>   Object method1( token, params ) //null token for guest user or a
>> getGuestToken() method that will return it
>>   {
>>       User user = tokenManager.getUser( token );
>>       ...
>>   }
>>   Object method2( token, params )
>>   {
>>       ...
>>   }
>>
>> TokenManager
>>   String login( username, password ); //return a token
>>   User getUser( token )
>>
>> The TokenManager can be a plexus component with a default
>> implementation for redback.
>> wdyt?
>>
>> Emmanuel
>>
>> Emmanuel Venisse a écrit :
>>> Hey guys,
>>>
>>> Some quick notes on the security for XML RPC interface. This is what I
>>> am thinking...
>>>
>>> Have an AuthenticatedXmlRpcService component that services the xml rpc
>>> requests. The first request from a client to the service is a request
>>> for authentication. A successful authentication returns an
>>> authentication Token, which is passed along with subsequent requests by
>>> the client. A Token can go stale (configurable time period?) if there
>>> were not requests detected for it. Also, we could have a service that
>>> answers any polling requests and keeps a Token 'alive'.
>>>
>>> Thoughts?
>>>
>>> Rahul
>>>
>>>
>>>
>>>
>>
>
>
>
>





--
jesse mcconnell
[EMAIL PROTECTED]

Reply via email to