Home / Browse / Webware for Python / Mail / Archive

Webware for Python

Email Archive: webware-discuss (read-only)

2000:	_Jan	_Feb	_Mar	_Apr	_May (149)	_Jun (174)	_Jul (41)	_Aug (118)	_Sep (72)	_Oct (111)	_Nov (69)	_Dec (147)
2001:	_Jan (242)	_Feb (276)	_Mar (363)	_Apr (704)	_May (183)	_Jun (209)	_Jul (173)	_Aug (230)	_Sep (80)	_Oct (306)	_Nov (338)	_Dec (291)
2002:	_Jan (273)	_Feb (294)	_Mar (303)	_Apr (463)	_May (319)	_Jun (182)	_Jul (160)	_Aug (140)	_Sep (192)	_Oct (302)	_Nov (238)	_Dec (176)
2003:	_Jan (179)	_Feb (222)	_Mar (256)	_Apr (167)	_May (139)	_Jun (145)	_Jul (113)	_Aug (259)	_Sep (146)	_Oct (124)	_Nov (143)	_Dec (66)
2004:	_Jan (58)	_Feb (128)	_Mar (193)	_Apr (228)	_May (111)	_Jun (107)	_Jul (93)	_Aug (78)	_Sep (48)	_Oct (99)	_Nov (104)	_Dec (119)
2005:	_Jan (115)	_Feb (124)	_Mar (86)	_Apr (41)	_May (52)	_Jun (21)	_Jul (32)	_Aug (14)	_Sep (52)	_Oct (30)	_Nov (19)	_Dec (19)
2006:	_Jan (43)	_Feb (35)	_Mar (68)	_Apr (21)	_May (38)	_Jun (46)	_Jul (19)	_Aug (38)	_Sep (58)	_Oct (15)	_Nov (12)	_Dec (30)
2007:	_Jan (49)	_Feb (23)	_Mar (29)	_Apr (19)	_May (33)	_Jun (4)	_Jul (10)	_Aug (26)	_Sep (2)	_Oct (9)	_Nov (1)	_Dec (21)
2008:	_Jan (15)	_Feb (3)	_Mar (10)	_Apr (8)	_May (4)	_Jun (2)	_Jul (2)	_Aug	_Sep	_Oct (2)	_Nov (13)	_Dec
2009:	_Jan (11)	_Feb (4)	_Mar	_Apr (6)	_May	_Jun (16)	_Jul (1)	_Aug	_Sep	_Oct	_Nov	_Dec (9)
2010:	_Jan (6)	_Feb (4)	_Mar (2)	_Apr (12)	_May (20)	_Jun (9)	_Jul (7)	_Aug	_Sep (1)	_Oct (5)	_Nov	_Dec (4)
2011:	_Jan	_Feb	_Mar (10)	_Apr	_May	_Jun	_Jul (9)	_Aug (2)	_Sep	_Oct	_Nov	_Dec
2012:	_Jan (2)	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep (6)	_Oct (3)	_Nov (8)	_Dec (11)
2013:	_Jan (1)	_Feb (1)	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[Webware-discuss] XML-RPC Security

From: CLIFFORD ILKAY <clifford_ilkay@di...> - 2004-07-12 23:08

Hi,

How would you ensure that only authorized users can make xmlrpc requests of 
Webware? Obviously it would not be a good thing if any random user can 
simply hit the server with the right xmlrpc request to get, add, modify, or 
delete rows from the database unless they were authorized to do that. With 
a page served up from Webware, I guess you do that with SecurePage but the 
xmlrpc client could be anything, a Mozilla XUL app, OpenOffice, MS Office, 
etc. and need not have been generated by Webware in the first place.

Regards,

Clifford Ilkay
Dinamis Corporation
3266 Yonge Street, Suite 1419
Toronto, Ontario
Canada M4N 3P6

Tel: 416-410-3326

Re: [Webware-discuss] XML-RPC Security

From: Luke Opperman <luke@me...> - 2004-07-12 23:52

Modeling it off the SecurePage idea, you could provide a function:

sid = server.authorization(username,password)

perform your login check and store them in session (getLoggedInUser style), and
return the session ID. Then any functions requiring authentication just take
that string as an argument:

result = server.updateRow(sid, ...)

and in updateRow use that sessionID and check whether they are logged in.

(Hmm, I'm not sure whether you can check an arbitrary session, not passed in as
cookie or querystring in Webware. Ought to be a way, if not you could manage
these authIDs directly in your application instead.)

A general solution to this problem will require passing some form of
authentication in each call, whether it's a temporary session from another
call, or a unique key as Google uses in their SOAP APIs.

- Luke

Quoting CLIFFORD ILKAY <clifford_ilkay@...>:

> Hi,
>
> How would you ensure that only authorized users can make xmlrpc requests of
> Webware? Obviously it would not be a good thing if any random user can
> simply hit the server with the right xmlrpc request to get, add, modify, or
> delete rows from the database unless they were authorized to do that. With
> a page served up from Webware, I guess you do that with SecurePage but the
> xmlrpc client could be anything, a Mozilla XUL app, OpenOffice, MS Office,
> etc. and need not have been generated by Webware in the first place.
>
> Regards,
>
> Clifford Ilkay
> Dinamis Corporation
> 3266 Yonge Street, Suite 1419
> Toronto, Ontario
> Canada M4N 3P6
>
> Tel: 416-410-3326
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit http://www.blackhat.com
> _______________________________________________
> Webware-discuss mailing list
> Webware-discuss@...
> https://lists.sourceforge.net/lists/listinfo/webware-discuss



--
The Pursuit of Counterfactual Histories

Webware for Python

Email Archive: webware-discuss (read-only)

1 message has been excluded from this view by a project administrator.