continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse McConnell" <jesse.mcconn...@gmail.com>
Subject Re: XML RPC security
Date Mon, 30 Apr 2007 17:02:16 GMT
I have never really messed with authenticated web services at all so
not sure what to say..

I'll take a look through that though, thanks carlos

jesse

On 4/30/07, Carlos Sanchez <carlos@apache.org> wrote:
> I don't think you need to handle the authentication part in the
> continuum code, nor need to create tokens,...
>
> If you use standard Digest authentication the password is encrypted,
> and if you tie that with https then it's completely secure.
>
> Acegi uses a filter to process all the requests and populate the auth
> info or return the standard http codes if user not authenticated
> http://www.acegisecurity.org/docbook/acegi.html#digest
>
>
> On 4/30/07, Jesse McConnell <jesse.mcconnell@gmail.com> wrote:
> > I am hoping to get a couple of authn and authz web services running in
> > redback this week, once I finish up the role profile refactor and
> > clean up, I want to wack out a webservice and then start getting
> > continuum integrated to using the new redback setup.
> >
> > sounds like that would work perfectly for this xml-rpc stuff in continuum.
> >
> > rahul, planning on using xfire until the apache CXF stuff gets it
> > first release out of the incubator...that sound good?
> >
> > jesse
> >
> > On 4/30/07, Emmanuel Venisse <emmanuel@venisse.net> wrote:
> > > Maybe, but I can't find it.
> > >
> > > Emmanuel
> > >
> > > Rahul Thakur a écrit :
> > > > I thought there was something similar to this that exists in Redback?
> > > >
> > > > Rahul
> > > >
> > > > ----- Original Message ----- From: "Emmanuel Venisse"
> > > > <emmanuel@venisse.net>
> > > > To: <continuum-dev@maven.apache.org>
> > > > Sent: Saturday, April 28, 2007 12:37 AM
> > > > Subject: Re: XML RPC security
> > > >
> > > >
> > > >> I think it's best solution. With a token, we don't have login/password
> > > >> over the network for each request.
> > > >>
> > > >> XmlRpcService
> > > >>   String login( username, password ) //return a token
> > > >>   {
> > > >>       tokenManager.login( username, password );
> > > >>   }
> > > >>
> > > >>   Object method1( token, params ) //null token for guest user or a
> > > >> getGuestToken() method that will return it
> > > >>   {
> > > >>       User user = tokenManager.getUser( token );
> > > >>       ...
> > > >>   }
> > > >>   Object method2( token, params )
> > > >>   {
> > > >>       ...
> > > >>   }
> > > >>
> > > >> TokenManager
> > > >>   String login( username, password ); //return a token
> > > >>   User getUser( token )
> > > >>
> > > >> The TokenManager can be a plexus component with a default
> > > >> implementation for redback.
> > > >> wdyt?
> > > >>
> > > >> Emmanuel
> > > >>
> > > >> Emmanuel Venisse a écrit :
> > > >>> Hey guys,
> > > >>>
> > > >>> Some quick notes on the security for XML RPC interface. This is
what I
> > > >>> am thinking...
> > > >>>
> > > >>> Have an AuthenticatedXmlRpcService component that services the
xml rpc
> > > >>> requests. The first request from a client to the service is a
request
> > > >>> for authentication. A successful authentication returns an
> > > >>> authentication Token, which is passed along with subsequent requests
by
> > > >>> the client. A Token can go stale (configurable time period?) if
there
> > > >>> were not requests detected for it. Also, we could have a service
that
> > > >>> answers any polling requests and keeps a Token 'alive'.
> > > >>>
> > > >>> Thoughts?
> > > >>>
> > > >>> Rahul
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
> > --
> > jesse mcconnell
> > jesse.mcconnell@gmail.com
> >
>
>
> --
> I could give you my word as a Spaniard.
> No good. I've known too many Spaniards.
>                              -- The Princess Bride
>


-- 
jesse mcconnell
jesse.mcconnell@gmail.com
Mime
View raw message