You are viewing a plain text version of this content. The canonical link for it is here.

Posted to xmlrpc-dev@ws.apache.org by TomazM <to...@arnes.si> on 2008/07/14 15:46:23 UTC

xmlrpc 3.1

Is there any example hoe to use Basic Authentication in server side?

Re: xmlrpc 3.1

Posted by TomazM <to...@arnes.si>.

Jochen Wiedmann wrote:
> On Mon, Jul 14, 2008 at 3:46 PM, TomazM <to...@arnes.si> wrote:
> 
>> Is there any example hoe to use Basic Authentication in server side?
> 
> See http://ws.apache.org/xmlrpc/server.html (section "Basic
> Authentication"), and http://ws.apache.org/xmlrpc/client.html
> (properties basicUsername and basicPassword).
> 
> Jochen
> 
I alredy try it but I have exception:

java.lang.NullPointerException
        at org.apache.xmlrpc.webserver.XmlRpcServlet.newPropertyHandlerMapping(XmlRpcServlet.java:180)
        at org.apache.xmlrpc.webserver.XmlRpcServlet.newXmlRpcHandlerMapping(XmlRpcServlet.java:161)
        at server.xml.MySecureServlet.newXmlRpcHandlerMapping(MySecureServlet.java:24)
        at server.xml.XmlRpcStreznik.main(XmlRpcStreznik.java:24)
null


I use:

public class MyServlet extends XmlRpcServlet {
          private boolean isAuthenticated(String pUserName, String pPassword) {
              return "foo".equals(pUserName) && "bar".equals(pPassword);
          }
          protected XmlRpcHandlerMapping newXmlRpcHandlerMapping() throws XmlRpcException {
              PropertyHandlerMapping mapping
                  = (PropertyHandlerMapping) super.newXmlRpcHandlerMapping();
              AbstractReflectiveHandlerMapping.AuthenticationHandler handler =
                  new AbstractReflectiveHandlerMapping.AuthenticationHandler(){
                          public boolean isAuthorized(XmlRpcRequest pRequest){
                              XmlRpcHttpRequestConfig config =
                                  (XmlRpcHttpRequestConfig) pRequest.getConfig();
                              return isAuthenticated(config.getBasicUserName(),
                                  config.getBasicPassword());
                          };
                  };
              mapping.setAuthenticationHandler(handler);
              return mapping;
          }
  }

and in Server:

ServerSocket socket_server = new ServerSocket();
			
			//PropertyHandlerMapping phm = new PropertyHandlerMapping();
			MySecureServlet ss = new MySecureServlet();
			ss.newXmlRpcHandlerMapping();
			
			PropertyHandlerMapping phm = new PropertyHandlerMapping ();
			//PropertyHandlerMapping phm = (PropertyHandlerMapping) ss.newXmlRpcHandlerMapping();
			phm.addHandler("Kalkulator", server.xml.Kalkulator.class);
						
			
			//phm.load(Thread.currentThread().getContextClassLoader(),"XmlRpcServlet.properties");
			/**
			 * You may also provide the handler classes directly, like this:
			 * phm.addHandler("Calculator",server.Kalkulator.class);
			 */
			WebServer web_server = new WebServer(port);
			//ServletWebServer servlet_ser = new ServletWebServer (ss, port);			
			XmlRpcServer xml_server = web_server.getXmlRpcServer();
			//XmlRpcServer xml_server = servlet_ser.getXmlRpcServer();
			xml_server.setHandlerMapping(phm);						

			XmlRpcServerConfigImpl serverConfig = (XmlRpcServerConfigImpl) xml_server.getConfig();
			serverConfig.setEnabledForExtensions(true);
			serverConfig.setContentLengthOptional(false);
			
			//xml_server.getHandlerMapping();

			
			web_server.start();


The error is in code
PropertyHandlerMapping mapping = (PropertyHandlerMapping) super.newXmlRpcHandlerMapping();


So in Server how do I access this myServlet?

Before i was using old rpc-xml 1.2 and it was realy easy using basic:

I have MyServers implements AuthenticatedHandler  and inside i have method authenticate is this posibile now.


And Is there any way to pass Kerberos ticket using this method?


Tomaz

Re: xmlrpc 3.1

Posted by Jochen Wiedmann <jo...@gmail.com>.

On Mon, Jul 21, 2008 at 1:40 PM, TomazM <to...@arnes.si> wrote:

> I would like to pass token(800 characters long Base64) as a password and on server side validate this token.

Most HTTP servers (note: *Not* XML-RPX)  will refuse that, as headers
are typically restricted to something like 1024 characters.

Jochen


-- 
Look, that's why there's rules, understand? So that you think before
you break 'em.

 -- (Terry Pratchett, Thief of Time)

Re: xmlrpc 3.1

Posted by TomazM <to...@arnes.si>.

Jochen Wiedmann wrote:
> On Mon, Jul 21, 2008 at 12:47 PM, TomazM <to...@arnes.si> wrote:
> 
>> Is in xmlrpc 3.1 specification any limitation of HTTP Headers?
> 
> Most possibly, you are doing an HTTP GET, rather than an HTTP POST.
> 
> Jochen
> 
> 
I'm using XmlRpcClientConfigImpl(XmlRpcClientConfigImpl.setBasicPassword(pPassword), XmlRpcClientConfigImpl.setBasicUserName(pUser)) and

I'm geting error:
SEVERE: HTTP Header too long
java.io.IOException: HTTP Header too long
        at org.apache.xmlrpc.util.HttpUtil.readLine(HttpUtil.java:138)


I would like to pass token(800 characters long Base64) as a password and on server side validate this token.

Tomaz

Re: xmlrpc 3.1

Posted by Jochen Wiedmann <jo...@gmail.com>.

On Mon, Jul 21, 2008 at 12:47 PM, TomazM <to...@arnes.si> wrote:

> Is in xmlrpc 3.1 specification any limitation of HTTP Headers?

Most possibly, you are doing an HTTP GET, rather than an HTTP POST.

Jochen


-- 
Look, that's why there's rules, understand? So that you think before
you break 'em.

 -- (Terry Pratchett, Thief of Time)

Re: xmlrpc 3.1

Posted by TomazM <to...@arnes.si>.

TomazM wrote:
> Jochen Wiedmann wrote:
>> On Thu, Jul 17, 2008 at 10:54 AM, tomaz <to...@arnes.si> wrote:
>>
>>> Is there the way of any other type of Authentication in 3.1.x, to pass the
>>> Kerberos ticket
>> Could be done by sending a cookie.
>>
>> Jochen
>>
> On http://ws.apache.org/xmlrpc/advanced.html write "Note, that this means losing the XmlRpcClients multithreading abilities!" so this is not a good
> solution. I wonder why is the limitation in HTTP header, in HTTP RFC there is no limits of how long is message(maybe attacker will put 2G in header).
> 
> Is there any example or documentation(not API) how you read this cookie on server side?.
> 
> TomazM
> 
> 
Is in xmlrpc 3.1 specification any limitation of HTTP Headers?

SEVERE: HTTP Header too long
java.io.IOException: HTTP Header too long
	at org.apache.xmlrpc.util.HttpUtil.readLine(HttpUtil.java:138)

Re: xmlrpc 3.1

Posted by Jochen Wiedmann <jo...@gmail.com>.

On Mon, Jul 21, 2008 at 11:26 AM, TomazM <to...@arnes.si> wrote:

> On http://ws.apache.org/xmlrpc/advanced.html write "Note, that this means losing the XmlRpcClients multithreading abilities!" so this is not a good
> solution. I wonder why is the limitation in HTTP header, in HTTP RFC there is no limits of how long is message(maybe attacker will put 2G in header).
>
> Is there any example or documentation(not API) how you read this cookie on server side?.

The problem is not the message size or something like that. If you
bind a cookie to the XmlRpcClient instance, then the instance contains
the details of the current session. For security purposes, you most
possibly don't want to share the instance between multiple threads.

In the case of Basic Authentication, there is no problem to use a
single instance of XmlRpcClient with multiple threads, as the
authentication details are bound to the configuration in that case.

Jochen

-- 
Look, that's why there's rules, understand? So that you think before
you break 'em.

 -- (Terry Pratchett, Thief of Time)

Re: xmlrpc 3.1

Posted by TomazM <to...@arnes.si>.

Jochen Wiedmann wrote:
> On Thu, Jul 17, 2008 at 10:54 AM, tomaz <to...@arnes.si> wrote:
> 
>> Is there the way of any other type of Authentication in 3.1.x, to pass the
>> Kerberos ticket
> 
> Could be done by sending a cookie.
> 
> Jochen
> 
On http://ws.apache.org/xmlrpc/advanced.html write "Note, that this means losing the XmlRpcClients multithreading abilities!" so this is not a good
solution. I wonder why is the limitation in HTTP header, in HTTP RFC there is no limits of how long is message(maybe attacker will put 2G in header).

Is there any example or documentation(not API) how you read this cookie on server side?.

TomazM

Re: xmlrpc 3.1

Posted by Jochen Wiedmann <jo...@gmail.com>.

On Thu, Jul 17, 2008 at 10:54 AM, tomaz <to...@arnes.si> wrote:

> Is there the way of any other type of Authentication in 3.1.x, to pass the
> Kerberos ticket

Could be done by sending a cookie.

Jochen

-- 
Look, that's why there's rules, understand? So that you think before
you break 'em.

 -- (Terry Pratchett, Thief of Time)

Re: xmlrpc 3.1

Posted by tomaz <to...@arnes.si>.

Is there the way of any other type of Authentication in 3.1.x, to pass 
the Kerberos ticket
Jochen Wiedmann wrote:
> On Mon, Jul 14, 2008 at 3:46 PM, TomazM <to...@arnes.si> wrote:
>
>   
>> Is there any example hoe to use Basic Authentication in server side?
>>     
>
> See http://ws.apache.org/xmlrpc/server.html (section "Basic
> Authentication"), and http://ws.apache.org/xmlrpc/client.html
> (properties basicUsername and basicPassword).
>
> Jochen
>
>

Re: xmlrpc 3.1

Posted by Jochen Wiedmann <jo...@gmail.com>.

On Mon, Jul 14, 2008 at 3:46 PM, TomazM <to...@arnes.si> wrote:

> Is there any example hoe to use Basic Authentication in server side?

See http://ws.apache.org/xmlrpc/server.html (section "Basic
Authentication"), and http://ws.apache.org/xmlrpc/client.html
(properties basicUsername and basicPassword).

Jochen

-- 
Look, that's why there's rules, understand? So that you think before
you break 'em.

 -- (Terry Pratchett, Thief of Time)