You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@turbine.apache.org by Manvendra Baghel <ma...@yahoo.com> on 2005/08/19 16:05:44 UTC
Fwd: Client Authentication in XML RPC
Note: forwarded message attached.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Fwd: Client Authentication in XML RPC
Posted by Siegfried Goeschl <si...@it20one.at>.
Hi Madreva,
no, since addClient() affects all of the XML-RPC and only if the
stand-alone webserver is used. Since I don't know your application design
+) a second webapp with different XML-RPC settings might do the trick
assuming static TCP/IP addresses
+) or again subclassing the file handler if the accepted TCP/IP
addresses are completely dynamic, i.e application-based
Cheers,
Siegfried Goeschl
Manvendra Baghel wrote:
>hi Siegfried Goeschl,
>
> YES I want to limit client-side access ONLY for file
>
>upload/download NOT for the whole XML-RPC
>communication
> Can there be any wise use of addClient() method
>for
> it ??
>
> Thanks for help in advance....
> Manvendra Baghel
>
>
>
>
>
>--- Siegfried Goeschl <si...@it20one.at>
>wrote:
>
>
>
>>Hi Manav,
>>
>>since I do not fully understand your problem ...
>>
>>+) do you want to limit client-side access only for
>>file upload/download
>>or for the whole XML-RPC communication? As you have
>>already encountered
>>there is support for restricting access based on
>>TCP/IP addresses
>>+) usually your Turbine application is embedded in a
>>servlet engine such
>>as Tomcat, i.e. you have additional security support
>>& deployment
>>options there
>>+) at the end of the day you can subclass the
>>FileHandler to add
>>additional security constraints .... :-)
>>
>>Cheers,
>>
>>Siegfried Goeschl
>>
>>PS: The secure server stuff is meant for SSL support
>>
>>Manvendra Baghel wrote:
>>
>>
>>
>>>Note: forwarded message attached.
>>>
>>>
>>>__________________________________________________
>>>Do You Yahoo!?
>>>Tired of spam? Yahoo! Mail has the best spam
>>>
>>>
>>protection around
>>
>>
>>>http://mail.yahoo.com
>>>
>>>
>>>
>>>
>>>
>------------------------------------------------------------------------
>
>
>>>Subject:
>>>Client Authentication in XML RPC
>>>From:
>>>Manvendra Baghel <ma...@yahoo.com>
>>>Date:
>>>Fri, 19 Aug 2005 07:03:26 -0700 (PDT)
>>>To:
>>>turbine
>>>
>>>
>><tu...@jakarta.apache.org>,
>>
>>
>>>velocity-user@jakarta.apache.org,
>>>
>>>
>>xmlrpc-user@ws.apache.org
>>
>>
>>>To:
>>>turbine
>>>
>>>
>><tu...@jakarta.apache.org>,
>>
>>
>>>velocity-user@jakarta.apache.org,
>>>
>>>
>>xmlrpc-user@ws.apache.org
>>
>>
>>>Hi friends,
>>>I am working on Turbine 2.3 and velocity.
>>>I am trying to implement xml rpc in Brihaspati e
>>>
>>>
>>LMS
>>
>>
>>>I am unable to decide how to go in for client
>>>authentication.
>>>Turbine xml-rpc service use file handler methods
>>>get/ send for handling files.But they are not
>>>
>>>
>>secure
>>
>>
>>>Any one can access files by them.
>>>MY PROBLEM IS THIS:
>>>I HAVE LIST OF IP ADDRESSES AND I WANT THAT ONLY
>>>
>>>
>>THEY
>>
>>
>>>SHOULD ACCESS MY FILES .
>>> for that how to work with
>>>TurbineResouces.properties
>>>is not clear.
>>>My property file is below
>>>
>>>services.XmlRpcService.handler.file =
>>>org.apache.turbine.services.xmlrpc.util.FileHandler
>>>services.XmlRpcService.handler.remote =
>>>org.iitk.brihaspati.modules.utils.RemoteCourseUtil
>>>services.XmlRpcService.handler.remote1 =
>>>
>>>
>>org.iitk.brihaspati.modules.utils.RemoteCourseUtilServer
>>
>>
>>>services.XmlRpcService.paranoid = true
>>>services.XmlRpcService.acceptClient = 172.28.44.*
>>>services.XmlRpcService.denyClient =
>>>
>>># Do we want a secure server
>>>
>>>services.XmlRpcService.secure.server = false
>>>
>>># Secure server options
>>>
>>>
>>>
>>services.XmlRpcService.secure.server.option.java.protocol.handler.pkgs
>>
>>
>>>= \
>>> com.sun.net.ssl.internal.www.protocol
>>>
>>>
>>>
>>services.XmlRpcService.secure.server.option.security.provider
>>
>>
>>>= \
>>> com.sun.net.ssl.internal.ssl.Provider
>>>
>>>
>>>
>>services.XmlRpcService.secure.server.option.security.protocol
>>
>>
>>>= TLS
>>>
>>># You probably want to keep your key stores and
>>>
>>>
>>trust
>>
>>
>>>stores
>>># clear out of your webapp.
>>>
>>>
>>>
>>services.XmlRpcService.secure.server.option.javax.net.ssl.keyStore
>>
>>
>>>= /tmp/keystore
>>>
>>>
>>services.XmlRpcService.secure.server.option.javax.net.ssl.keyStoreType
>>
>>
>>>= jks
>>>
>>>
>>services.XmlRpcService.secure.server.option.javax.net.ssl.keyStorePassword
>>
>>
>>>= password
>>>
>>>
>>services.XmlRpcService.secure.server.option.javax.net.ssl.trustStore
>>
>>
>>>= /tmp/truststore
>>>
>>>
>>services.XmlRpcService.secure.server.option.javax.net.ssl.trustStoreType
>>
>>
>>>= jks
>>>
>>>
>>services.XmlRpcService.secure.server.option.javax.net.ssl.trustStorePassword
>>
>>
>>>= password
>>>
>>>
>>>
>>services.XmlRpcService.secure.server.option.sun.ssl.keymanager.type
>>
>>
>>>= SunX509
>>>
>>>
>>services.XmlRpcService.secure.server.option.sun.ssl.trust.manager.type
>>
>>
>>>= SunX509
>>>
>>># These values should be set to 'all' for debugging
>>>purposes.
>>>
>>>
>>>
>>services.XmlRpcService.secure.server.option.javax.net.debug
>>
>>
>>>= all
>>>
>>>
>>services.XmlRpcService.secure.server.option.java.security.debug
>>
>>
>>>= all
>>>
>>>
>>>ONE OF MY PROBLEM IS WHEN I SET
>>>services.XmlRpcService.secure.server = true
>>>
>>>Xml rpc call fails
>>>
>>>HOW TO USE SECURE SERVER OPTION......
>>>
>>>Thanks for help in advance
>>>
>>>cheers
>>>Manav
>>>
>>>
>>>
>>>__________________________________________________
>>>Do You Yahoo!?
>>>Tired of spam? Yahoo! Mail has the best spam
>>>
>>>
>>protection around
>>
>>
>>>http://mail.yahoo.com
>>>
>>>
>>>
>>>
>>>
>>------------------------------------------------------------------------
>>
>>
>>---------------------------------------------------------------------
>>
>>
>>>To unsubscribe, e-mail:
>>>
>>>
>>turbine-user-unsubscribe@jakarta.apache.org
>>
>>
>>>For additional commands, e-mail:
>>>
>>>
>>turbine-user-help@jakarta.apache.org
>>
>>
>>
>>
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: turbine-user-help@jakarta.apache.org
>
>
>
>
Re: Fwd: Client Authentication in XML RPC
Posted by Manvendra Baghel <ma...@yahoo.com>.
hi Siegfried Goeschl,
YES I want to limit client-side access ONLY for file
upload/download NOT for the whole XML-RPC
communication
Can there be any wise use of addClient() method
for
it ??
Thanks for help in advance....
Manvendra Baghel
--- Siegfried Goeschl <si...@it20one.at>
wrote:
> Hi Manav,
>
> since I do not fully understand your problem ...
>
> +) do you want to limit client-side access only for
> file upload/download
> or for the whole XML-RPC communication? As you have
> already encountered
> there is support for restricting access based on
> TCP/IP addresses
> +) usually your Turbine application is embedded in a
> servlet engine such
> as Tomcat, i.e. you have additional security support
> & deployment
> options there
> +) at the end of the day you can subclass the
> FileHandler to add
> additional security constraints .... :-)
>
> Cheers,
>
> Siegfried Goeschl
>
> PS: The secure server stuff is meant for SSL support
>
> Manvendra Baghel wrote:
>
> >Note: forwarded message attached.
> >
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Tired of spam? Yahoo! Mail has the best spam
> protection around
> >http://mail.yahoo.com
> >
> >
> >
>
------------------------------------------------------------------------
> >
> > Subject:
> > Client Authentication in XML RPC
> > From:
> > Manvendra Baghel <ma...@yahoo.com>
> > Date:
> > Fri, 19 Aug 2005 07:03:26 -0700 (PDT)
> > To:
> > turbine
> <tu...@jakarta.apache.org>,
> > velocity-user@jakarta.apache.org,
> xmlrpc-user@ws.apache.org
> >
> > To:
> > turbine
> <tu...@jakarta.apache.org>,
> > velocity-user@jakarta.apache.org,
> xmlrpc-user@ws.apache.org
> >
> >
> >Hi friends,
> >I am working on Turbine 2.3 and velocity.
> >I am trying to implement xml rpc in Brihaspati e
> LMS
> >I am unable to decide how to go in for client
> >authentication.
> >Turbine xml-rpc service use file handler methods
> >get/ send for handling files.But they are not
> secure
> >Any one can access files by them.
> > MY PROBLEM IS THIS:
> > I HAVE LIST OF IP ADDRESSES AND I WANT THAT ONLY
> THEY
> >SHOULD ACCESS MY FILES .
> > for that how to work with
> >TurbineResouces.properties
> >is not clear.
> >My property file is below
> >
> >services.XmlRpcService.handler.file =
> >org.apache.turbine.services.xmlrpc.util.FileHandler
> >services.XmlRpcService.handler.remote =
> >org.iitk.brihaspati.modules.utils.RemoteCourseUtil
> >services.XmlRpcService.handler.remote1 =
>
>org.iitk.brihaspati.modules.utils.RemoteCourseUtilServer
> >services.XmlRpcService.paranoid = true
> >services.XmlRpcService.acceptClient = 172.28.44.*
> >services.XmlRpcService.denyClient =
> >
> ># Do we want a secure server
> >
> >services.XmlRpcService.secure.server = false
> >
> ># Secure server options
> >
>
>services.XmlRpcService.secure.server.option.java.protocol.handler.pkgs
> >= \
> > com.sun.net.ssl.internal.www.protocol
> >
>
>services.XmlRpcService.secure.server.option.security.provider
> >= \
> > com.sun.net.ssl.internal.ssl.Provider
> >
>
>services.XmlRpcService.secure.server.option.security.protocol
> >= TLS
> >
> ># You probably want to keep your key stores and
> trust
> >stores
> ># clear out of your webapp.
> >
>
>services.XmlRpcService.secure.server.option.javax.net.ssl.keyStore
> >= /tmp/keystore
>
>services.XmlRpcService.secure.server.option.javax.net.ssl.keyStoreType
> >= jks
>
>services.XmlRpcService.secure.server.option.javax.net.ssl.keyStorePassword
> >= password
>
>services.XmlRpcService.secure.server.option.javax.net.ssl.trustStore
> >= /tmp/truststore
>
>services.XmlRpcService.secure.server.option.javax.net.ssl.trustStoreType
> >= jks
>
>services.XmlRpcService.secure.server.option.javax.net.ssl.trustStorePassword
> >= password
> >
>
>services.XmlRpcService.secure.server.option.sun.ssl.keymanager.type
> >= SunX509
>
>services.XmlRpcService.secure.server.option.sun.ssl.trust.manager.type
> >= SunX509
> >
> ># These values should be set to 'all' for debugging
> >purposes.
> >
>
>services.XmlRpcService.secure.server.option.javax.net.debug
> >= all
>
>services.XmlRpcService.secure.server.option.java.security.debug
> >= all
> >
> >
> >ONE OF MY PROBLEM IS WHEN I SET
> >services.XmlRpcService.secure.server = true
> >
> >Xml rpc call fails
> >
> >HOW TO USE SECURE SERVER OPTION......
> >
> >Thanks for help in advance
> >
> >cheers
> >Manav
> >
> >
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Tired of spam? Yahoo! Mail has the best spam
> protection around
> >http://mail.yahoo.com
> >
> >
> >
>
>------------------------------------------------------------------------
> >
>
>---------------------------------------------------------------------
> >To unsubscribe, e-mail:
> turbine-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail:
> turbine-user-help@jakarta.apache.org
> >
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
Re: Fwd: Client Authentication in XML RPC
Posted by Siegfried Goeschl <si...@it20one.at>.
Hi Manav,
since I do not fully understand your problem ...
+) do you want to limit client-side access only for file upload/download
or for the whole XML-RPC communication? As you have already encountered
there is support for restricting access based on TCP/IP addresses
+) usually your Turbine application is embedded in a servlet engine such
as Tomcat, i.e. you have additional security support & deployment
options there
+) at the end of the day you can subclass the FileHandler to add
additional security constraints .... :-)
Cheers,
Siegfried Goeschl
PS: The secure server stuff is meant for SSL support
Manvendra Baghel wrote:
>Note: forwarded message attached.
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Client Authentication in XML RPC
> From:
> Manvendra Baghel <ma...@yahoo.com>
> Date:
> Fri, 19 Aug 2005 07:03:26 -0700 (PDT)
> To:
> turbine <tu...@jakarta.apache.org>,
> velocity-user@jakarta.apache.org, xmlrpc-user@ws.apache.org
>
> To:
> turbine <tu...@jakarta.apache.org>,
> velocity-user@jakarta.apache.org, xmlrpc-user@ws.apache.org
>
>
>Hi friends,
>I am working on Turbine 2.3 and velocity.
>I am trying to implement xml rpc in Brihaspati e LMS
>I am unable to decide how to go in for client
>authentication.
>Turbine xml-rpc service use file handler methods
>get/ send for handling files.But they are not secure
>Any one can access files by them.
> MY PROBLEM IS THIS:
> I HAVE LIST OF IP ADDRESSES AND I WANT THAT ONLY THEY
>SHOULD ACCESS MY FILES .
> for that how to work with
>TurbineResouces.properties
>is not clear.
>My property file is below
>
>services.XmlRpcService.handler.file =
>org.apache.turbine.services.xmlrpc.util.FileHandler
>services.XmlRpcService.handler.remote =
>org.iitk.brihaspati.modules.utils.RemoteCourseUtil
>services.XmlRpcService.handler.remote1 =
>org.iitk.brihaspati.modules.utils.RemoteCourseUtilServer
>services.XmlRpcService.paranoid = true
>services.XmlRpcService.acceptClient = 172.28.44.*
>services.XmlRpcService.denyClient =
>
># Do we want a secure server
>
>services.XmlRpcService.secure.server = false
>
># Secure server options
>
>services.XmlRpcService.secure.server.option.java.protocol.handler.pkgs
>= \
> com.sun.net.ssl.internal.www.protocol
>
>services.XmlRpcService.secure.server.option.security.provider
>= \
> com.sun.net.ssl.internal.ssl.Provider
>
>services.XmlRpcService.secure.server.option.security.protocol
>= TLS
>
># You probably want to keep your key stores and trust
>stores
># clear out of your webapp.
>
>services.XmlRpcService.secure.server.option.javax.net.ssl.keyStore
>= /tmp/keystore
>services.XmlRpcService.secure.server.option.javax.net.ssl.keyStoreType
>= jks
>services.XmlRpcService.secure.server.option.javax.net.ssl.keyStorePassword
>= password
>services.XmlRpcService.secure.server.option.javax.net.ssl.trustStore
>= /tmp/truststore
>services.XmlRpcService.secure.server.option.javax.net.ssl.trustStoreType
>= jks
>services.XmlRpcService.secure.server.option.javax.net.ssl.trustStorePassword
>= password
>
>services.XmlRpcService.secure.server.option.sun.ssl.keymanager.type
>= SunX509
>services.XmlRpcService.secure.server.option.sun.ssl.trust.manager.type
>= SunX509
>
># These values should be set to 'all' for debugging
>purposes.
>
>services.XmlRpcService.secure.server.option.javax.net.debug
>= all
>services.XmlRpcService.secure.server.option.java.security.debug
>= all
>
>
>ONE OF MY PROBLEM IS WHEN I SET
>services.XmlRpcService.secure.server = true
>
>Xml rpc call fails
>
>HOW TO USE SECURE SERVER OPTION......
>
>Thanks for help in advance
>
>cheers
>Manav
>
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>
>
>------------------------------------------------------------------------
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: turbine-user-help@jakarta.apache.org
>