Security on XML-RPC

D

dcrespo

Hi all,

Anyone knows a simpler but stronger control access to XML-RPC functions
than the one I comment here?

My actual system works like this:

I have a TCP Server and an XML-RPC Server. Both of them verify if the
IP address is allowed.

The TCP Server works for validate and register an IP address if it
wasn't validated previously, while the XML-RPC Server works only if the
requester IP address was allowed through the mentioned TCP Server. This
means, anyone who wants to connect to the XML-RPC Server has to pass
the TCP Server.

How a client connects to the TCP Server and authenticate his IP?

Well, there is an interchange of encrypted data between the Client and
the TCP Server, where, in few words, the client sends a UserName and a
Password, all this through the send() function of the Socket
connection. If the TCP Server authenticate an IP address, then that
Client will be able to connect to the XML-RPC Server and use its
defined functions.

The problem I see here is that if I want someone to taking advantage of
my XML-RPC functions, I have to tell him all these. I would like to get
a strong but simpler way of doing all these.

Thank you for reading and thinking.

Daniel
 
J

John Abel

dcrespo said:
Hi all,

Anyone knows a simpler but stronger control access to XML-RPC functions
than the one I comment here?

My actual system works like this:

I have a TCP Server and an XML-RPC Server. Both of them verify if the
IP address is allowed.

The TCP Server works for validate and register an IP address if it
wasn't validated previously, while the XML-RPC Server works only if the
requester IP address was allowed through the mentioned TCP Server. This
means, anyone who wants to connect to the XML-RPC Server has to pass
the TCP Server.

How a client connects to the TCP Server and authenticate his IP?

Well, there is an interchange of encrypted data between the Client and
the TCP Server, where, in few words, the client sends a UserName and a
Password, all this through the send() function of the Socket
connection. If the TCP Server authenticate an IP address, then that
Client will be able to connect to the XML-RPC Server and use its
defined functions.

The problem I see here is that if I want someone to taking advantage of
my XML-RPC functions, I have to tell him all these. I would like to get
a strong but simpler way of doing all these.

Thank you for reading and thinking.

Daniel
Not the most secure, but I have a modified XMLRPC Server/client using
Digest auth, if that's any use?

J
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,995
Messages
2,570,236
Members
46,825
Latest member
VernonQuy6

Latest Threads

Top