Securing SimpleXMLRPCServer?
John Abel
john.abel at pa.press.net
Mon Jul 8 04:44:48 EDT 2002
OK, I apologise in advance for appearing dense. I've added the code
that was supplied by Brian, and the server script appears to run OK.
However, the client script displays the following error:
Traceback (most recent call last):
File "MDClient.py", line 6, in ?
print ServerConn.ReturnFiles ("/text/today")
File "/usr/local/lib/python2.2/xmlrpclib.py", line 821, in __call__
return self.__send(self.__name, args)
File "/usr/local/lib/python2.2/xmlrpclib.py", line 975, in __request
verbose=self.__verbose
File "/usr/local/lib/python2.2/xmlrpclib.py", line 853, in request
return self.parse_response(h.getfile())
File "/usr/local/lib/python2.2/xmlrpclib.py", line 896, in
parse_response
return u.close()
File "/usr/local/lib/python2.2/xmlrpclib.py", line 571, in close
raise apply(Fault, (), self._stack[0])
xmlrpclib.Fault: <Fault 1: 'UnknownIP:Client IP Is Not Authorised'>
The client script contains the following code:
import xmlrpclib
if __name__== "__main__":
ServerConn = xmlrpclib.Server ("http://localhost:8000")
try:
print ServerConn.ReturnFiles ("/text/today")
except ServerConn.UnknownIP, ErrMsg:
print "Connect Failed", ErrMsg
The server script:
import sys, os, SimpleXMLRPCServer, string
class AuthenticatingSimpleXMLRPCRequestHandler
(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler):
def _dispatch(self,method,params):
self.UnknownIP = "UnknownIP"
if not (self.client_address == "144.178.234.189" or
self.client_address == "localhost" ):
raise self.UnknownIP, "Client IP Is Not Authorised"
else:
SimpleXMLRPCServer.SimpleXMLRPCRequestHandler._dispatch(self,method,params)
def ReturnFiles(FileRequest):
RetrFile = open(FileRequest,"r")
FileContents = None
for FileLine in RetrFile:
if FileContents == None:
FileContents = FileLine
else:
FileContents = FileContents + FileLine
return FileContents
if __name__== "__main__":
XMLRPCServer = SimpleXMLRPCServer.SimpleXMLRPCServer (
("localhost",8000), AuthenticatingSimpleXMLRPCRequestHandler )
XMLRPCServer.register_function(ReturnFiles)
XMLRPCServer.serve_forever()
I apologise it I'm doing something really obvious, but I can't seem to
find any documentation, or examples that are similar to what I am trying
to do.
Thank you
John
On Fri, 2002-07-05 at 17:46, Brian Quinlan wrote:
John Abel wrote:
> I've set up an server, and client, which works OK, but now I want to
> secure the server. Is there a way I can query the IP of the
connecting
> client? I've looked through the documentation, and can see that
> SimpleXMLRPCRequestHandler is based on BaseHTTPServer, which has
> client_address, but I can't seem to get access that variable.
>
> Any pointers would be much appreciated.
You could base your security on IP address or you could have the client
send a cookie with each RPC call.
Using your IP address technique, you can subclass
SimpleXMLRPCRequestHandler and write your own do_POST or _dispatch
method. Your implementation can be very simple; just check
client_address and call the base class implementation if it is correct.
You must also register your SimpleXMLRPCRequestHandler subclass with the
SimpleXMLRPCServer. Here is an untested example:
class
AuthenticatingSimpleXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
def _dispatch(self, method, params):
if self.client_address not in list_of_valid_addresses:
raise Exception, "your IP address is not
authorized"
else:
SimpleXMLRPCRequestHandler._dispatch(self,
method, params)
server = SimpleXMLRPCServer(
some_address,
AuthenticatingSimpleXMLRPCRequestHandler
)
server.server_forever()
Cheers,
Brian
More information about the Python-list
mailing list