Modeling it off the SecurePage idea, you could provide a function:
sid = server.authorization(username,password)
perform your login check and store them in session (getLoggedInUser style), and
return the session ID. Then any functions requiring authentication just take
that string as an argument:
result = server.updateRow(sid, ...)
and in updateRow use that sessionID and check whether they are logged in.
(Hmm, I'm not sure whether you can check an arbitrary session, not passed in as
cookie or querystring in Webware. Ought to be a way, if not you could manage
these authIDs directly in your application instead.)
A general solution to this problem will require passing some form of
authentication in each call, whether it's a temporary session from another
call, or a unique key as Google uses in their SOAP APIs.
Quoting CLIFFORD ILKAY <clifford_ilkay@...>:
> How would you ensure that only authorized users can make xmlrpc requests of
> Webware? Obviously it would not be a good thing if any random user can
> simply hit the server with the right xmlrpc request to get, add, modify, or
> delete rows from the database unless they were authorized to do that. With
> a page served up from Webware, I guess you do that with SecurePage but the
> xmlrpc client could be anything, a Mozilla XUL app, OpenOffice, MS Office,
> etc. and need not have been generated by Webware in the first place.
> Clifford Ilkay
> Dinamis Corporation
> 3266 Yonge Street, Suite 1419
> Toronto, Ontario
> Canada M4N 3P6
> Tel: 416-410-3326
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit http://www.blackhat.com
> Webware-discuss mailing list
The Pursuit of Counterfactual Histories