continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Venisse <emman...@venisse.net>
Subject Re: XML RPC security
Date Fri, 27 Apr 2007 12:37:18 GMT
I think it's best solution. With a token, we don't have login/password over the network for
each request.

XmlRpcService
   String login( username, password ) //return a token
   {
       tokenManager.login( username, password );
   }

   Object method1( token, params ) //null token for guest user or a getGuestToken() method
that will return it
   {
       User user = tokenManager.getUser( token );
       ...
   }
   Object method2( token, params )
   {
       ...
   }

TokenManager
   String login( username, password ); //return a token
   User getUser( token )

The TokenManager can be a plexus component with a default implementation for redback.
wdyt?

Emmanuel

Emmanuel Venisse a écrit :
> Hey guys,
> 
> Some quick notes on the security for XML RPC interface. This is what I
> am thinking...
> 
> Have an AuthenticatedXmlRpcService component that services the xml rpc
> requests. The first request from a client to the service is a request
> for authentication. A successful authentication returns an
> authentication Token, which is passed along with subsequent requests by
> the client. A Token can go stale (configurable time period?) if there
> were not requests detected for it. Also, we could have a service that
> answers any polling requests and keeps a Token 'alive'.
> 
> Thoughts?
> 
> Rahul
> 
> 
> 
> 


Mime
View raw message