Kurt Ward wrote:
b. transport: if we are going to have username and passwords flying over the wire, we need to protect them. XML-RPC over HTTPS? CHAP? Kerberos? Other thoughts?
XML-RPC over HTTPS is pretty straight-forward and easy for users to implement. The interactive admin tools I have been working on already
does
this using the Sun JSSE package (although I have not commited it to the scratchpad area yet). Creation of the random key to start an SSL
connection
is a slow, but the performance is satisfactory in my opinion.
Hmmm... I'm wondering if this startup delay will occur on every XML-RPC request: in this case it might be unaccettable in a production environment with lots of queries. Is it possible (I'm ignorant about JSSE) to cache a session-wide random key for reuse?
The random key is not generated on each request. On initial startup of an XML-RPC client, it takes ~3-4 seconds to generate the key. After that, the key is reused and speed degradation is not very noticable. (Maybe 30ms or so?).
This is good news. I'm very curious to see how it works, if and when you're ready, count on me for testing. :-)
Ciao,
-- Gianugo Rabellino
