CODEWITHSUNDEEP
phprubyauthenticationxml-rpc
bwizzy
bwizzy

Reputation: 1599

How to XMLRPC::Client authentication

I need to make an XMLRPC request that has to be authenticated, and have found limited documentation on the authentication side of XMLRPC. What's the best way to go about this? Right now I'm using the code below but still getting an authentication failure. Is there a different way to specify the client, then call a secondary auth method?

client = XMLRPC::Client.new(@xmlrpc_url, "/xmlrpc.php", "443", nil, nil, @username, @password, true, 900)

Upvotes: 1

Views: 10263

Answers (2)

Phill Pafford
Phill Pafford

Reputation: 85368

Looking into IXR http://scripts.incutio.com/xmlrpc/basic-server-construction.php it shows how to do basic authentication but doesn't look very secure

Upvotes: 0

pilcrow
pilcrow

Reputation: 58681

...I'm using the code below but still getting an authentication failure

Double-check that the remote webserver is accepting HTTP Basic Authentication for the resource /xmlrpc.php, and that it further accepts your @username and @password.

Per the docs, your XMLRPC incantation for an RPC client.call("bwizzy") will generate something with Basic Auth like this:

POST /xmlrpc.php HTTP/1.1
User-Agent: XMLRPC::Client (Ruby 1.9.1)
Content-Type: text/xml; charset=utf-8
Content-Length: 88
Connection: keep-alive
Authorization: Basic c3RhY2s6b3ZlcmZsb3c=
Accept: */*
Host: localhost

<?xml version="1.0"><methodCall><methodName>bwizzy</methodName></params></methodCall>

(Please don't complain to me about the order of those headers -- that's what I see on the wire! :))

Now, XML-RPC does not itself provide for authentication, so you have a few general options:

  1. Use typical "web auth" techniques
    HTTP Authorization schemes, like you are currently using. Trusted client-side certs. Cookie authentication tokens. Etc.
    Typical web auth techniques carry common risks, however. Poke around SO for more guidance here.

  2. Extend the RPC functions to support user-defined auth
    For example, the RPC call bwizzy might take a username and password as arguments.
    Or a login RPC function might generate a time-limited token to be used as a Cookie.
    This approach is invasive -- now your RPC calls have to be auth-aware -- and error-prone -- now you have to implement auth yourself.

  3. Extend XML-RPC itself
    The XML RPC calls could be themselves signed or signed and encrypted, for example, ala SOAP's digital signatures

Upvotes: 0

Related Questions