Safe Local XMLRPC
Michael Urman
murman at gmail.com
Sat Mar 12 12:28:55 EST 2005
[Sorry, I previously replied to Diez offlist, and probably to a
spam-protected address at that. Here's that reply and my followup
after reading up on pyro
]
On Sat, 12 Mar 2005 11:08:31 -0600, Michael Urman <murman at gmail.com> wrote:
> On Sat, 12 Mar 2005 14:12:21 +0100, Diez B. Roggisch <deetsNOSPAM at web.de> wrote:
> > This might not be the answer you want, but I'd personally ditch xmlrpc and
> > switch to something like pyro or even corba and implement a "real"
> > authentication theme.
>
> I don't have a problem with switching interfaces so long as I can keep
> my (admittedly useless) feature of multiple simultaneous connections.
> I am hoping to avoid writing an authentication method, as some slight
> missteps there could lead to real trouble later; this is why I was
> hoping to do unix-domain socket transports which I could just set to
> read-write only by the owner on the filesystem itself.
>
> > With corba/pyro, authenticate would return an object that implicitely has
> > all the state needed - nameley who created the connection - and then you
> > don't have to bother about that anymore.
>
> If I can get the authentication that I'm looking for that cheaply,
> then this does indeed sound like the way for me to go. I'm not worried
> about supporting remote connections, or anything of that nature, so
> local identity is sufficient. I'll look into pyro; conveniently
> there's a debian package for me to try.
>
> Thanks Diez!
> -m
>
Hmm. On inspection, pyro seems to be really heavy, what with its
requirement of a pyro-nameserver, and using TCP as the transport. I
think I'd still prefer convincing a variant of SimpleXMLRPCServer and
xmlrpclib.ServerProxy to use unix domain sockets and using filesystem
security to limit access to the owner.
Thanks again,
-m
More information about the Python-list
mailing list