Cookie and Basic authentication
Hi, my web application uses cookie based authentication. Which works very well with CookieCrumbler. Now I have been asked to implement some XML-RPC functions, which should use the same login information but use Basic Authentication. Any idea how to do that? Thanks Ulrich
On Tue, 08 Jun 2004 13:31:20 +0200 Ulrich Wisser <ulrich.wisser@relevanttraffic.se> wrote:
Hi,
my web application uses cookie based authentication. Which works very well with CookieCrumbler.
Now I have been asked to implement some XML-RPC functions, which should use the same login information but use Basic Authentication.
CookieCrumbler just "fakes" basic auth anyhow. Basic auth will work as usual even with CookieCrumbler in play. Using the xmlrpclib with a recent Python you can just do:: import xmlrpclib zope = xmlrpclib.Server('http://user:password@zopeserver') zope.some.object.method() hth, -Casey
Casey Duncan wrote:
On Tue, 08 Jun 2004 13:31:20 +0200 Ulrich Wisser <ulrich.wisser@relevanttraffic.se> wrote:
my web application uses cookie based authentication. Which works very well with CookieCrumbler.
Now I have been asked to implement some XML-RPC functions, which should use the same login information but use Basic Authentication.
CookieCrumbler just "fakes" basic auth anyhow. Basic auth will work as usual even with CookieCrumbler in play. Using the xmlrpclib with a recent Python you can just do::
import xmlrpclib zope = xmlrpclib.Server('http://user:password@zopeserver') zope.some.object.method()
Is there no more secure way to make an XML-RPC call than this? I'd like to tunnel over HTTPS, but placing the password in the request URL like this exposes it insecurely. What's the safest way to do this? -- - David A. Riggs <riggs at csee dot wvu dot edu>
David A. Riggs wrote at 2004-6-8 18:33 -0400:
...
zope = xmlrpclib.Server('http://user:password@zopeserver') zope.some.object.method()
Is there no more secure way to make an XML-RPC call than this? I'd like to tunnel over HTTPS, but placing the password in the request URL like this exposes it insecurely. What's the safest way to do this?
When you use HTTPS, then the complete request is encrypted, including the URL. It might be possible that the server log file includes the user/password info. Check whether this is the case. If not, this method is as secure as others. -- Dieter
Dieter Maurer wrote:
David A. Riggs wrote at 2004-6-8 18:33 -0400:
...
zope = xmlrpclib.Server('http://user:password@zopeserver') zope.some.object.method()
Is there no more secure way to make an XML-RPC call than this? I'd like to tunnel over HTTPS, but placing the password in the request URL like this exposes it insecurely. What's the safest way to do this?
When you use HTTPS, then the complete request is encrypted, including the URL. It might be possible that the server log file includes the user/password info. Check whether this is the case. If not, this method is as secure as others.
Sure enough, you're right. I sniffed the network traffic with ethereal and grepped through my Z2.log and Apache's access.log with no sign of username or password (though the log side of it is out of the hands of the sender, really). Thanks for clarifying! -- - David A. Riggs <riggs at csee dot wvu dot edu>
participants (4)
-
Casey Duncan -
David A. Riggs -
Dieter Maurer -
Ulrich Wisser