bloodhound-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olemis Lang <>
Subject Re: xmlrpc auth question
Date Mon, 10 Mar 2014 22:25:58 GMT
On Mon, Mar 10, 2014 at 4:43 PM, Mark Abbate <> wrote:

> Hello All
Hi !

> I am stuck on xmlrpc auth.
> I am using 0.8dev and the latest xmlrpc plugin, with sqlite and the
> builtin server.

tracd you mean ? If so , this is a known issue . There's a candidate
solution proposed in this ticket for Trac [2]_

> I am using the apache xmlrpc java libs and I am also using chrome-postman
> to cross-check.
jftr , see this sample code [1]_ . I tested against a BH 0.8-dev instance
(powered by apache2 web server , btw) and it works as expected with minor

> I *think* that the only way I can create a ticket using xmlrpc or postman
> is by using this URL:
>     http://leela:8000/OSPS/products/mercer/login/xmlrpc
> and by giving anonymous TRAC_ADMIN and XML_RPC permissions.

that's a combination of permissions I honestly do not recommend

> I cannot get this URL to work:
>     http://leela:8000/OSPS/login/rpc

that URL seems to belong in the global environment , you should not have
tickets there in deployments by default , but in products .

> The log output shows:
>     2014-03-10 16:10:07,696 Trac[web_ui] DEBUG: RPC(XML-RPC) call by
> 'anonymous'
> despite creating valid basic auth headers in postman, or in the java
> xmlrpc code.
> The log output ends with:
>      ServiceException: ServiceException details : columns product, id are
> not unique
What version of BH are you running ?

> If I log in from another tab in the browser, and then use postman, I get
> the same error but I do see my login name:
>     2014-03-10 16:14:46,459 Trac[web_ui] DEBUG: RPC(XML-RPC) call by
> 'mabbate'
> (That user does have TRAC_ADMIN and XML_RPC permissions)
This is documented in [2]_ . What happens (with tracd) is that there is no
way to challenge the RPC client when requesting /products/P/login/.* . The
only possible URLs supported by the tracd auth mechanism is /login/* which
leads you to the global env .

> So, how can I use xmlrpc with a non-anonymous user to avoid giving giving
> anonymous those permissions?
... with tracd there's no hope as long as something is done about [2]_ .
AFAICR I proposed a patch for BH but it is not committed in /trunk .

> I have looked around, read this:
> but that's over my head at this point. The fundamental issue seems
> similar, the http server is defaulting to anonymous.
> I saw the note about use of AccountManagerPlugIn. I am using
> "TracAccountManager 0.4.3 User account management plugin for Trac"
> so I did add as suggested.
>     [account-manager]
>     environ_auth_overwrite = false
jftr ... it's a lower level issue with tracd . Like I just said , it will
not force the RPC client to send a challenge


.. [1]

.. [2]


Olemis - @olemislc

Apache(tm) Bloodhound contributor

Blog ES:
Blog EN:

Featured article:

View raw message