Hi all,
I want to implement some very basic security for an XMLRPC server. My
first filter was going to be to restrict access by IP address. Is there
a way to snag the client’s IP from an XMLRPC::Server object from wthin a
service hook? I listed the object methods, but nothing stood out at me.
If not, I’d like to see that functionality added.
Thanks in advance for any help.
Regards,
Dan
Hi,
From: Daniel Berger
Sent: Wednesday, October 23, 2002 5:58 AM
I want to implement some very basic security for an XMLRPC server. My
first filter was going to be to restrict access by IP
address. Is there
a way to snag the client’s IP from an XMLRPC::Server object
from wthin a
service hook? I listed the object methods, but nothing stood
out at me.
GServer(which is a base of HttpServer which is a base
of XMLRPC::*Servers) does not have functionalities about
authentication/authorization (same as standaloneServer
of SOAP4R, BTW).
Can you run your server with XMLRPC::CGIServer on WEBrick,
Apache or some httpd? Those httpds have IP-based/BasicAuth
authentication/authorization functionalities.
Doubt me… WEBrick might not have IP-based restriction
function by default.
If not, I’d like to see that functionality added.
MNeumann: how do you think?
Regards,
// NaHi
Daniel Berger wrote:
I want to implement some very basic security for an XMLRPC server. My
first filter was going to be to restrict access by IP address. Is there
a way to snag the client’s IP from an XMLRPC::Server object from wthin a
service hook? I listed the object methods, but nothing stood out at me.
I seem to recall subclassing XMLRPC::Server and implementing some checks
in request_handler, to do the above (and later, to add basic
authentication).
It went something like this:
def request_handler( req, resp )
caller_address = req.data.peeraddr[2]
if @allow.include?( caller_address )
super req, resp
else
response.status = 405
end
end
before I switched to authentication.
HTH
···
–
([ Kent Dahl ]/)_ ~ [ http://www.stud.ntnu.no/~kentda/ ]/~
))_student/(( _d L b_/ NTNU - graduate engineering - 5. year )
( __õ|õ// ) )Industrial economics and technological management(
_/ö____/ (_engineering.discipline=Computer::Technology)
Hi,
From: Daniel Berger
Sent: Wednesday, October 23, 2002 5:58 AM
I want to implement some very basic security for an XMLRPC server. My
first filter was going to be to restrict access by IP
address. Is there
a way to snag the client’s IP from an XMLRPC::Server object
from wthin a
service hook? I listed the object methods, but nothing stood
out at me.
GServer(which is a base of HttpServer which is a base
of XMLRPC::*Servers) does not have functionalities about
authentication/authorization (same as standaloneServer
of SOAP4R, BTW).
Can you run your server with XMLRPC::CGIServer on WEBrick,
Apache or some httpd? Those httpds have IP-based/BasicAuth
authentication/authorization functionalities.
There’s also a WEBrickServlet server for xmlrpc4r.
Maybe this helps.
Doubt me… WEBrick might not have IP-based restriction
function by default.
If not, I’d like to see that functionality added.
MNeumann: how do you think?
I’ve added a ip_auth_handler method in class Server, which is called
from method serve (in httpserver.rb) before request_handler is called.
This method should return true if the client is allowed to connect,
otherwise false.
This way, you can simply override Server#ip_auth_handler to perform
IP-based restrictions.
What’s the right status code when IP auth disallows access?
405 - Method not allowed?
Regards,
Michael
···
On Wed, 2002-10-23 at 04:49, NAKAMURA, Hiroshi wrote:
Michael Neumann wrote:
I’ve added a ip_auth_handler method in class Server, which is called
from method serve (in httpserver.rb) before request_handler is called.
This method should return true if the client is allowed to connect,
otherwise false.
This way, you can simply override Server#ip_auth_handler to perform
IP-based restrictions.
What’s the right status code when IP auth disallows access?
405 - Method not allowed?
Regards,
Michael
Sounds interesting, but how does it work?
All I really want to do is something like this:
valid_ip = [“1.2.3.4”,“22.33.44.55”]
server.set_service_hook{ |obj,*args|
raise SomeException unless valid_ip.include?(server.peer_addr)
obj.call(*args)
}
Regards,
Dan
Hi,
From: Michael Neumann [mailto:520079130762-0001@t-online.de]
Sent: Wednesday, October 23, 2002 5:18 PM
Can you run your server with XMLRPC::CGIServer on WEBrick,
Apache or some httpd? Those httpds have IP-based/BasicAuth
authentication/authorization functionalities.
There’s also a WEBrickServlet server for xmlrpc4r.
Maybe this helps.
I’m not aware there it is! Good. I and an author of
WEBrick are working to build an app server on
www.ruby-lang.org to host XML-RPC, SOAP and other services.
(It runs as CGI now) We’ll use it.
Hmm. require_path_info? was deprecated from WEBrick/1.2.2.
No need to define it although it does not break anything.
I’ve added a ip_auth_handler method in class Server, which is called
from method serve (in httpserver.rb) before request_handler is called.
This method should return true if the client is allowed to connect,
otherwise false.
This way, you can simply override Server#ip_auth_handler to perform
IP-based restrictions.
standaloneServer.rb in SOAP4R should follow the change
of your httpserver.rb.
What’s the right status code when IP auth disallows access?
405 - Method not allowed?
403 Forbidden, I think.
Regards,
// NaHi
In xmlrpc4r version 1.7.12, the following should work:
class MyServer < XMLRPC::Server
def ip_auth_handler(io)
valid_ips = [“192.168.1.5”, “127.0.0.1”]
if valid_ips.include? io.peeraddr[3]
true
else
false
end
end
end
s = MyServer.new(…)
Maybe I add in the next version a method set_valid_ip to the Server
class, and use the above shown ip_auth_handler by default.
Regards,
Michael
···
On Wed, 2002-10-23 at 18:15, Daniel Berger wrote:
Michael Neumann wrote:
I’ve added a ip_auth_handler method in class Server, which is called
from method serve (in httpserver.rb) before request_handler is called.
This method should return true if the client is allowed to connect,
otherwise false.
This way, you can simply override Server#ip_auth_handler to perform
IP-based restrictions.
What’s the right status code when IP auth disallows access?
405 - Method not allowed?
Regards,
Michael
Sounds interesting, but how does it work?
All I really want to do is something like this:
valid_ip = [“1.2.3.4”,“22.33.44.55”]
server.set_service_hook{ |obj,*args|
raise SomeException unless valid_ip.include?(server.peer_addr)
obj.call(*args)
}
See directory samples/webrick of the xmlrpc4r distribution for
more information as well as lib/server.rb.
But I guess, you’ve already found it.
Regards,
Michael
···
On Thu, 2002-10-24 at 08:59, NAKAMURA, Hiroshi wrote:
Hi,
From: Michael Neumann [mailto:520079130762-0001@t-online.de]
Sent: Wednesday, October 23, 2002 5:18 PM
Can you run your server with XMLRPC::CGIServer on WEBrick,
Apache or some httpd? Those httpds have IP-based/BasicAuth
authentication/authorization functionalities.
There’s also a WEBrickServlet server for xmlrpc4r.
Maybe this helps.
I’m not aware there it is! Good. I and an author of
WEBrick are working to build an app server on
www.ruby-lang.org to host XML-RPC, SOAP and other services.
(It runs as CGI now) We’ll use it.
Michael Neumann wrote:
Michael Neumann wrote:
I’ve added a ip_auth_handler method in class Server, which is called
from method serve (in httpserver.rb) before request_handler is called.
This method should return true if the client is allowed to connect,
otherwise false.
This way, you can simply override Server#ip_auth_handler to perform
IP-based restrictions.
What’s the right status code when IP auth disallows access?
405 - Method not allowed?
Regards,
Michael
Sounds interesting, but how does it work?
All I really want to do is something like this:
valid_ip = [“1.2.3.4”,“22.33.44.55”]
server.set_service_hook{ |obj,*args|
raise SomeException unless valid_ip.include?(server.peer_addr)
obj.call(*args)
}
In xmlrpc4r version 1.7.12, the following should work:
Is there a way to use this without having to define my own subclass? If so,
can you please provide an example?
On another note, I noticed the update to the RAA. It appears, however, that
the download link still points to 1.7.11. Just thought I’d mention it.
Regards,
Dan
···
On Wed, 2002-10-23 at 18:15, Daniel Berger wrote:
Is there a way to use this without having to define my own subclass? If so,
can you please provide an example?
Not in 1.7.12, but probably in 1.7.13:
s = XMLRPC::Server(…)
s.set_valid_ip(“192.168.1.5”, “127.0.0.1”, /^192.168.2./)
Is that what you need?
On another note, I noticed the update to the RAA. It appears, however, that
the download link still points to 1.7.11. Just thought I’d mention it.
Thanks, I’ll update that.
Regards,
Michael
···
On Wed, 2002-10-23 at 20:06, Daniel Berger wrote: