Security + XMLRPC
Using Zope for B2B. Partner websites take orders from their staff or clientel and relay those orders to us. So, the actual communications between these participating companies' servers and our own server are totally automated. Security exists at 3 layers : a) Host/IP - we've already filtered hosts that can connect to us based on IP. But, since IPs can be spoofed, we may buy hardware VPN solutions. (problem : hardware vpn can be expensive for our partners or even impossible if they are colocating) b) Protocol. At the moment I've got a prototype running with XMLRPC which was damned easy to create. However, there is no security mechanism built into XMLRPC (or at not that I can see). So, all data is transfered in the clear. c) The data/information itself. Since there is no authentication with XMLRPC, the data itself is encoded (using rotor and other simple python encryption modules) with a unique key that we will provide to each participating company/site. I really like using XMLRPC but is the above simply a disaster waiting to happen ? Would CORBA, HTTPS (ie using SSLeay), or SSH be better suited ? And is anyone already doing anything like this ? Thanks in advance, chas
At 03:16 AM 10/13/99 +0800, chas wrote:
c) The data/information itself. Since there is no authentication with XMLRPC,
Not true. Authentication is simply not part of the XMLRPC standard; any HTTP-based authentication mechanism can be used, including cookies and Basic authentication. You just have to add the appropriate headers to your POST, and the receiving server has to be able to handle it. Zope certainly can do this. For both encryption and authentication purposes, however, using SSL would probably be a good idea, especially if you can make use of client certificates, which can a pretty strong authentication method compared to passwords and the like. Zope can make use of these too, if you write an appropriate UserFolder class based on certificate DN's.
chas wrote:
b) Protocol. At the moment I've got a prototype running with XMLRPC which was damned easy to create. However, there is no security mechanism built into XMLRPC (or at not that I can see). So, all data is transfered in the clear.
XMLRPC is based on http. Authentication and Privacy issues for XMLRPC are the same as HTTP. So, you can set an Basic Auth header, use some other method, and encrpyt with SSL etc... Because XML-RPC subclasses the http behavior, you would use it just like using http. You can also tunnel it over ssh. -Michel
I really like using XMLRPC but is the above simply a disaster waiting to happen ? Would CORBA, HTTPS (ie using SSLeay), or SSH be better suited ? And is anyone already doing anything like this ?
You'd need to make sure that your web server was dealing with HTTPS for you (I don't think Zope has the SSL code), and I don't think xmlrpclib groks HTTPS yet, but once you solve those it should work transparently. FWIW, all you need to do to stop people IP spoofing is to put a filter on your router which says "if anything comes from the outside world but is addressed as if it came from the inside, drop it". That's just basic firewalling. You should't need any VPN unless you want to dodge the overhead of HTTPS. XML-RPC security... you know, I can't see any reason why you couldn't adapt any HTTP security scheme to work with XML-RPC. Regards, Garth. -- <gtk@well.com>
participants (4)
-
chas -
gtk -
Michel Pelletier -
Phillip J. Eby