Hi; i had the same exact situation and I implemented User/blog creation through this API. worked great (i was kind of bummed by the fact that I could not control the theme of the newly created blogs but this was a minor issue). anyway, like mentioned, enabling this API can cause a security risk. what i did to strengthen the security around the 3.1 AAPP implementation is I added a servlet fiter that allows a set of pre-configured IPs to pass, such that only localhost and maybe one more machine IP is allowed to use this option. this solution fitted my needs. thanks.
________________________________ From: Jeffrey Blattman [mailto:[EMAIL PROTECTED] Sent: Thu 10/4/2007 8:55 PM To: [email protected] Subject: Re: Status of adminapi in 4.0? fredrik, http://rollerweblogger.org/wiki/Wiki.jsp?page=DeveloperGuide#section-DeveloperGuide-AtomAdminPublishingProtocol yes, this is what you want. basically, it's disabled by default because it provides another way to obtain administrative access to the server. if the service isn't needed it's just prudent to disable it. the second issue is that the service isn't used by most roller deployments. i think the community wanted to give it some time to gel before making it a prime time feature. feel free to use it, but consider it beta quality software. just to clear up your confusion when looking at the docs., the name started out as "atom admin publishing protocol", then changed to "roller adminapi", or RAP. Fredrik Jonson wrote: > Hi, > > I'm using roller 4.0rc as a part of a game site, and it would be very > convenient for me to be able to create web blogs and users from a > external webapp (where I keep the rest of the site administration), > instead of manually setting them up from the roller-ui jsp interface. > > The adminapi that I've seen mentioned in presentations and the dev > mailinglist seems like a perfect match. Now, I've read that it's > disabled by default, so I wonder, is that still correct, and if so why? > And what's the status of the adminapi (rap?) in roller 4.0? What > precausions do I need to put in place to put it in use "in production"? > > My other alternative would be to enter users and weblogs by accessing > the database, and IMHO that seems to be a way less proper way than > using an ever so experimental adminapi. Or, am I wrong? > > Any pointers to relevant documentation (oh, btw did I mention that > roller's install documentation is great!!!) and adminapi discussion would > be appreciated. > >
