Dieter Maurer wrote:
David A. Riggs wrote at 2004-6-8 18:33 -0400:
...
zope = xmlrpclib.Server('http://user:password@zopeserver') zope.some.object.method()
Is there no more secure way to make an XML-RPC call than this? I'd like to tunnel over HTTPS, but placing the password in the request URL like this exposes it insecurely. What's the safest way to do this?
When you use HTTPS, then the complete request is encrypted, including the URL. It might be possible that the server log file includes the user/password info. Check whether this is the case. If not, this method is as secure as others.
Sure enough, you're right. I sniffed the network traffic with ethereal and grepped through my Z2.log and Apache's access.log with no sign of username or password (though the log side of it is out of the hands of the sender, really). Thanks for clarifying! -- - David A. Riggs <riggs at csee dot wvu dot edu>