XMLRPC and IP authentication 
Author Message
 XMLRPC and IP authentication

Hi all,

I want to implement some very basic security for an XMLRPC server.  My
first filter was going to be to restrict access by IP address.  Is there
a way to snag the client's IP from an XMLRPC::Server object from wthin a
service hook?  I listed the object methods, but nothing stood out at me.

If not, I'd like to see that functionality added.

Thanks in advance for any help.

Regards,

Dan



Sun, 10 Apr 2005 04:58:21 GMT  
 XMLRPC and IP authentication
Hi,

Quote:
> From: Daniel Berger
> Sent: Wednesday, October 23, 2002 5:58 AM
> I want to implement some very basic security for an XMLRPC server.  My
> first filter was going to be to restrict access by IP
> address.  Is there
> a way to snag the client's IP from an XMLRPC::Server object
> from wthin a
> service hook?  I listed the object methods, but nothing stood
> out at me.

GServer(which is a base of HttpServer which is a base
of XMLRPC::*Servers) does not have functionalities about
authentication/authorization (same as standaloneServer
of SOAP4R, BTW).

Can you run your server with XMLRPC::CGIServer on WEBrick,
Apache or some httpd?  Those httpds have IP-based/BasicAuth
authentication/authorization functionalities.

Doubt me... WEBrick might not have IP-based restriction
function by default.

Quote:
> If not, I'd like to see that functionality added.

MNeumann: how do you think?

Regards,
// NaHi



Sun, 10 Apr 2005 10:49:40 GMT  
 XMLRPC and IP authentication

Quote:

> I want to implement some very basic security for an XMLRPC server.  My
> first filter was going to be to restrict access by IP address.  Is there
> a way to snag the client's IP from an XMLRPC::Server object from wthin a
> service hook?  I listed the object methods, but nothing stood out at me.

I seem to recall subclassing XMLRPC::Server and implementing some checks
in request_handler, to do the above (and later, to add basic
authentication).

It went something like this:
<SNIP>
 def request_handler( req, resp )
        caller_address = req.data.peeraddr[2]

          super req, resp
        else
          response.status = 405
        end
      end
</SNIP>
before I switched to authentication.

HTH

--
(\[ Kent Dahl ]/)_    _~_    __[ http://www.stud.ntnu.no/~kentda/ ]___/~
 ))\_student_/((  \__d L b__/  NTNU - graduate engineering - 5. year  )
( \__\_?|?_/__/ ) _)Industrial economics and technological management(
 \____/_?_\____/ (____engineering.discipline_=_Computer::Technology___)



Sun, 10 Apr 2005 14:24:18 GMT  
 XMLRPC and IP authentication

Quote:

> Hi,

> > From: Daniel Berger
> > Sent: Wednesday, October 23, 2002 5:58 AM

> > I want to implement some very basic security for an XMLRPC server.  My
> > first filter was going to be to restrict access by IP
> > address.  Is there
> > a way to snag the client's IP from an XMLRPC::Server object
> > from wthin a
> > service hook?  I listed the object methods, but nothing stood
> > out at me.

> GServer(which is a base of HttpServer which is a base
> of XMLRPC::*Servers) does not have functionalities about
> authentication/authorization (same as standaloneServer
> of SOAP4R, BTW).

> Can you run your server with XMLRPC::CGIServer on WEBrick,
> Apache or some httpd?  Those httpds have IP-based/BasicAuth
> authentication/authorization functionalities.

There's also a WEBrickServlet server for xmlrpc4r.
Maybe this helps.

Quote:
> Doubt me... WEBrick might not have IP-based restriction
> function by default.

> > If not, I'd like to see that functionality added.

> MNeumann: how do you think?

I've added a ip_auth_handler method in class Server, which is called
from method serve (in httpserver.rb) before request_handler is called.
This method should return true if the client is allowed to connect,
otherwise false.
This way, you can simply override Server#ip_auth_handler to perform
IP-based restrictions.

What's the right status code when IP auth disallows access?
405 - Method not allowed?

Regards,

  Michael



Sun, 10 Apr 2005 16:17:35 GMT  
 XMLRPC and IP authentication

Quote:

> I've added a ip_auth_handler method in class Server, which is called
> from method serve (in httpserver.rb) before request_handler is called.
> This method should return true if the client is allowed to connect,
> otherwise false.
> This way, you can simply override Server#ip_auth_handler to perform
> IP-based restrictions.

> What's the right status code when IP auth disallows access?
> 405 - Method not allowed?

> Regards,

>   Michael

Sounds interesting, but how does it work?

All I really want to do is something like this:

valid_ip = ["1.2.3.4","22.33.44.55"]
server.set_service_hook{ |obj,*args|
   raise SomeException unless valid_ip.include?(server.peer_addr)
   obj.call(*args)

Quote:
}

Regards,

Dan



Mon, 11 Apr 2005 00:15:42 GMT  
 XMLRPC and IP authentication

Quote:


> > I've added a ip_auth_handler method in class Server, which is called
> > from method serve (in httpserver.rb) before request_handler is called.
> > This method should return true if the client is allowed to connect,
> > otherwise false.
> > This way, you can simply override Server#ip_auth_handler to perform
> > IP-based restrictions.

> > What's the right status code when IP auth disallows access?
> > 405 - Method not allowed?

> > Regards,

> >   Michael

> Sounds interesting, but how does it work?

> All I really want to do is something like this:

> valid_ip = ["1.2.3.4","22.33.44.55"]
> server.set_service_hook{ |obj,*args|
>    raise SomeException unless valid_ip.include?(server.peer_addr)
>    obj.call(*args)
> }

In xmlrpc4r version 1.7.12, the following should work:

class MyServer < XMLRPC::Server
  def ip_auth_handler(io)
    valid_ips = ["192.168.1.5", "127.0.0.1"]
    if valid_ips.include? io.peeraddr[3]
      true
    else
      false
    end
  end
end

s = MyServer.new(....)

Maybe I add in the next version a method set_valid_ip to the Server
class, and use the above shown ip_auth_handler by default.

Regards,

  Michael



Mon, 11 Apr 2005 00:24:51 GMT  
 XMLRPC and IP authentication

Quote:



> > > I've added a ip_auth_handler method in class Server, which is called
> > > from method serve (in httpserver.rb) before request_handler is called.
> > > This method should return true if the client is allowed to connect,
> > > otherwise false.
> > > This way, you can simply override Server#ip_auth_handler to perform
> > > IP-based restrictions.

> > > What's the right status code when IP auth disallows access?
> > > 405 - Method not allowed?

> > > Regards,

> > >   Michael

> > Sounds interesting, but how does it work?

> > All I really want to do is something like this:

> > valid_ip = ["1.2.3.4","22.33.44.55"]
> > server.set_service_hook{ |obj,*args|
> >    raise SomeException unless valid_ip.include?(server.peer_addr)
> >    obj.call(*args)
> > }

> In xmlrpc4r version 1.7.12, the following should work:

<snip>

Is there a way to use this without having to define my own subclass?  If so,
can you please provide an example?

On another note, I noticed the update to the RAA.  It appears, however, that
the download link still points to 1.7.11.  Just thought I'd mention it.

Regards,

Dan



Mon, 11 Apr 2005 02:06:03 GMT  
 XMLRPC and IP authentication

Quote:

> Is there a way to use this without having to define my own subclass?  If so,
> can you please provide an example?

Not in 1.7.12, but probably in 1.7.13:

s = XMLRPC::Server(...)
s.set_valid_ip("192.168.1.5", "127.0.0.1", /^192\.168\.2\./)

Is that what you need?

Quote:
> On another note, I noticed the update to the RAA.  It appears, however, that
> the download link still points to 1.7.11.  Just thought I'd mention it.

Thanks, I'll update that.

Regards,

  Michael



Mon, 11 Apr 2005 05:07:01 GMT  
 XMLRPC and IP authentication

Quote:


> > Is there a way to use this without having to define my own subclass?  If so,
> > can you please provide an example?

> Not in 1.7.12, but probably in 1.7.13:

> s = XMLRPC::Server(...)
> s.set_valid_ip("192.168.1.5", "127.0.0.1", /^192\.168\.2\./)

> Is that what you need?

That would be awesome.  I'm hoping you'll allow arrays as well:

v = ["192.168.1.5","192.168.1.6"]
s.set_valid_ip(v)

or does that work anyway?  I forget.

Thanks!

Dan



Mon, 11 Apr 2005 05:58:53 GMT  
 XMLRPC and IP authentication

Quote:



> > > Is there a way to use this without having to define my own subclass?  If so,
> > > can you please provide an example?

> > Not in 1.7.12, but probably in 1.7.13:

> > s = XMLRPC::Server(...)
> > s.set_valid_ip("192.168.1.5", "127.0.0.1", /^192\.168\.2\./)

> > Is that what you need?

> That would be awesome.  I'm hoping you'll allow arrays as well:

> v = ["192.168.1.5","192.168.1.6"]
> s.set_valid_ip(v)

Yes:

  s.set_valid_ip(*v)

Regards,

  Michael



Mon, 11 Apr 2005 14:32:59 GMT  
 XMLRPC and IP authentication
Hi,

Quote:

> Sent: Wednesday, October 23, 2002 5:18 PM
> > Can you run your server with XMLRPC::CGIServer on WEBrick,
> > Apache or some httpd?  Those httpds have IP-based/BasicAuth
> > authentication/authorization functionalities.

> There's also a WEBrickServlet server for xmlrpc4r.
> Maybe this helps.

I'm not aware there it is!  Good.  I and an author of
WEBrick are working to build an app server on
www.ruby-lang.org to host XML-RPC, SOAP and other services.
(It runs as CGI now)  We'll use it.

Hmm.  require_path_info? was deprecated from WEBrick/1.2.2.
No need to define it although it does not break anything.

Quote:
> I've added a ip_auth_handler method in class Server, which is called
> from method serve (in httpserver.rb) before request_handler is called.
> This method should return true if the client is allowed to connect,
> otherwise false.
> This way, you can simply override Server#ip_auth_handler to perform
> IP-based restrictions.

standaloneServer.rb in SOAP4R should follow the change
of your httpserver.rb.

Quote:
> What's the right status code when IP auth disallows access?
> 405 - Method not allowed?

403 Forbidden, I think.

Regards,
// NaHi



Mon, 11 Apr 2005 14:59:25 GMT  
 XMLRPC and IP authentication

Quote:




> > > > Is there a way to use this without having to define my own subclass?  If so,
> > > > can you please provide an example?

> > > Not in 1.7.12, but probably in 1.7.13:

> > > s = XMLRPC::Server(...)
> > > s.set_valid_ip("192.168.1.5", "127.0.0.1", /^192\.168\.2\./)

> > > Is that what you need?

> > That would be awesome.  I'm hoping you'll allow arrays as well:

> > v = ["192.168.1.5","192.168.1.6"]
> > s.set_valid_ip(v)

> Yes:

>   s.set_valid_ip(*v)

> Regards,

>   Michael

Duh!  Why do I always forget this?

Anyway, I just tested it out - works great!  Thanks!!

Regards,

Dan



Mon, 11 Apr 2005 22:42:40 GMT  
 XMLRPC and IP authentication

Quote:

> Hi,


> > Sent: Wednesday, October 23, 2002 5:18 PM

> > > Can you run your server with XMLRPC::CGIServer on WEBrick,
> > > Apache or some httpd?  Those httpds have IP-based/BasicAuth
> > > authentication/authorization functionalities.

> > There's also a WEBrickServlet server for xmlrpc4r.
> > Maybe this helps.

> I'm not aware there it is!  Good.  I and an author of
> WEBrick are working to build an app server on
> www.ruby-lang.org to host XML-RPC, SOAP and other services.
> (It runs as CGI now)  We'll use it.

See directory samples/webrick of the xmlrpc4r distribution for
more information as well as lib/server.rb.
But I guess, you've already found it.

Regards,

  Michael



Tue, 12 Apr 2005 01:25:59 GMT  
 
 [ 13 post ] 

 Relevant Pages 

1. XMLRPC Authentication

2. ip vers nom et nom vers ip

3. IP v6 instead of IP v4??

4. Anyway to get the server ip address not the browser ip address

5. XMLRPC for Oberon

6. Problems transporting nil values using XMLRPC (net/http ?)

7. XMLRPC and complex data structures

8. xmlrpc problems

9. XMLRPC problem!

10. XMLRPC Client call timeout

11. How to use xmlrpc properly with Korean (non-ascii characters)

12. python+XMLRPC: need help

 

 
Powered by phpBB® Forum Software