Security on XML-RPC
John Abel
jabel at plus.net
Tue Oct 25 10:08:05 EDT 2005
dcrespo wrote:
>Hi all,
>
>Anyone knows a simpler but stronger control access to XML-RPC functions
>than the one I comment here?
>
>My actual system works like this:
>
>I have a TCP Server and an XML-RPC Server. Both of them verify if the
>IP address is allowed.
>
>The TCP Server works for validate and register an IP address if it
>wasn't validated previously, while the XML-RPC Server works only if the
>requester IP address was allowed through the mentioned TCP Server. This
>means, anyone who wants to connect to the XML-RPC Server has to pass
>the TCP Server.
>
>How a client connects to the TCP Server and authenticate his IP?
>
>Well, there is an interchange of encrypted data between the Client and
>the TCP Server, where, in few words, the client sends a UserName and a
>Password, all this through the send() function of the Socket
>connection. If the TCP Server authenticate an IP address, then that
>Client will be able to connect to the XML-RPC Server and use its
>defined functions.
>
>The problem I see here is that if I want someone to taking advantage of
>my XML-RPC functions, I have to tell him all these. I would like to get
>a strong but simpler way of doing all these.
>
>Thank you for reading and thinking.
>
>Daniel
>
>
>
Not the most secure, but I have a modified XMLRPC Server/client using
Digest auth, if that's any use?
J
More information about the Python-list
mailing list