continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carlos Sanchez" <car...@apache.org>
Subject Re: XML RPC security
Date Mon, 30 Apr 2007 16:57:15 GMT
I don't think you need to handle the authentication part in the
continuum code, nor need to create tokens,...

If you use standard Digest authentication the password is encrypted,
and if you tie that with https then it's completely secure.

Acegi uses a filter to process all the requests and populate the auth
info or return the standard http codes if user not authenticated
http://www.acegisecurity.org/docbook/acegi.html#digest


On 4/30/07, Jesse McConnell <jesse.mcconnell@gmail.com> wrote:
> I am hoping to get a couple of authn and authz web services running in
> redback this week, once I finish up the role profile refactor and
> clean up, I want to wack out a webservice and then start getting
> continuum integrated to using the new redback setup.
>
> sounds like that would work perfectly for this xml-rpc stuff in continuum.
>
> rahul, planning on using xfire until the apache CXF stuff gets it
> first release out of the incubator...that sound good?
>
> jesse
>
> On 4/30/07, Emmanuel Venisse <emmanuel@venisse.net> wrote:
> > Maybe, but I can't find it.
> >
> > Emmanuel
> >
> > Rahul Thakur a écrit :
> > > I thought there was something similar to this that exists in Redback?
> > >
> > > Rahul
> > >
> > > ----- Original Message ----- From: "Emmanuel Venisse"
> > > <emmanuel@venisse.net>
> > > To: <continuum-dev@maven.apache.org>
> > > Sent: Saturday, April 28, 2007 12:37 AM
> > > Subject: Re: XML RPC security
> > >
> > >
> > >> I think it's best solution. With a token, we don't have login/password
> > >> over the network for each request.
> > >>
> > >> XmlRpcService
> > >>   String login( username, password ) //return a token
> > >>   {
> > >>       tokenManager.login( username, password );
> > >>   }
> > >>
> > >>   Object method1( token, params ) //null token for guest user or a
> > >> getGuestToken() method that will return it
> > >>   {
> > >>       User user = tokenManager.getUser( token );
> > >>       ...
> > >>   }
> > >>   Object method2( token, params )
> > >>   {
> > >>       ...
> > >>   }
> > >>
> > >> TokenManager
> > >>   String login( username, password ); //return a token
> > >>   User getUser( token )
> > >>
> > >> The TokenManager can be a plexus component with a default
> > >> implementation for redback.
> > >> wdyt?
> > >>
> > >> Emmanuel
> > >>
> > >> Emmanuel Venisse a écrit :
> > >>> Hey guys,
> > >>>
> > >>> Some quick notes on the security for XML RPC interface. This is what
I
> > >>> am thinking...
> > >>>
> > >>> Have an AuthenticatedXmlRpcService component that services the xml
rpc
> > >>> requests. The first request from a client to the service is a request
> > >>> for authentication. A successful authentication returns an
> > >>> authentication Token, which is passed along with subsequent requests
by
> > >>> the client. A Token can go stale (configurable time period?) if there
> > >>> were not requests detected for it. Also, we could have a service that
> > >>> answers any polling requests and keeps a Token 'alive'.
> > >>>
> > >>> Thoughts?
> > >>>
> > >>> Rahul
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >
> > >
> > >
> > >
> >
> >
>
>
> --
> jesse mcconnell
> jesse.mcconnell@gmail.com
>


-- 
I could give you my word as a Spaniard.
No good. I've known too many Spaniards.
                             -- The Princess Bride

Mime
View raw message