XML-RPC using HTTP Basic Authentification

[eluser]sramage[/eluser]
Hi !

I'm new in CI and I'm trying to replace a XML-RPC server and client written using this lib http://phpxmlrpc.sourceforge.net by CI XML-RPC classes.

I need some security around this server so I have implemented a little HTTP Basic authentication on the server by adding this on the server controler :

Code:

$user = $this->input->server('PHP_AUTH_USER');
    $password = $this->input->server('PHP_AUTH_PW');
    if ($user != $RPC_USER OR $password != $RPC_PASSWORD){
      Header('WWW-Authenticate: Basic realm="rpc"');
      Header('HTTP/1.0 401 Unauthorized');
      exit();
    }

it's works !

now I'm trying to make a client working, but it can't connect using something like "http://username:[email protected]/index.php/rpc"

How can I secure my server? is HTTP Authentification the solution? How make it to work ?

Thank you

[eluser]sramage[/eluser]
Finally I solve my problem by writing a new XML-RPC library for CI based on the lib found at http://phpxmlrpc.sourceforge.net
It works good and now I have more functionalities like gzip compression, HTTP Authentification.

Writing a new lib is very easy, CI is really powerful !

[eluser]johnwbaxter[/eluser]
Why don't you contribute your new libraries to the wiki?

[eluser]Leonard Yulianus[/eluser]
[quote author="sramage" date="1226000130"]Finally I solve my problem by writing a new XML-RPC library for CI based on the lib found at http://phpxmlrpc.sourceforge.net
It works good and now I have more functionalities like gzip compression, HTTP Authentification.

Writing a new lib is very easy, CI is really powerful ![/quote]

yeah i really want to see your approach to this problem...

[eluser]sramage[/eluser]
I don't know how put it on the wiki so I post here:

XML-RPC client library:

Code:

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
Client xml-rpc utilisant la bibliothèque xmlrpc de sourceforge
http://phpxmlrpc.sourceforge.net
*/
include(APPPATH.'libraries/xmlrpc/xmlrpc.inc');

class Xmlrpc_sf extends xmlrpc_client{
  var $method_name;
  var $request_val;
  var $fault_code;
  var $fault_string;
  var $response;
  
  function Xmlrpc_sf($params)
  {
    $server_url = $params[0];
    parent::xmlrpc_client($server_url);

  }
  function method($method) #indique la methode à utiliser
  {
    $this->method_name = $method;
  }
  function request($request=null) #indique les paramètres à envoyer pour la méthode
  {
    $this->request_val = php_xmlrpc_encode($request);
  }
  function send_request()
  {
    $message = new xmlrpcmsg($this->method_name,array($this->request_val));
    $response = $this->send($message);
    $this->fault_code = $response->faultCode();
    $this->fault_string = 'Error : '.$this->fault_code.' '.$response->faultString();
    if ($this->fault_code == 0){
      $this->response = $response->value();
    }
    return $this->fault_code == 0;
  }
  function display_error()
  {
    return $this->fault_string;
  }
  function display_response()
  {
    return php_xmlrpc_decode($this->response);
  }
}

?>

XML-RPC server library

Code:

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
Serveur xml-rpc utilisant la bibliothèque xmlrpc de sourceforge
http://phpxmlrpc.sourceforge.net
*/
include(APPPATH.'libraries/xmlrpc/xmlrpc.inc');
include(APPPATH.'libraries/xmlrpc/xmlrpcs.inc');

class Xmlrpcs_sf extends xmlrpc_server{

  function Xmlrpcs_sf($functions)
  {
    $functions['test.test'] = array('function' => array($this,'test'));
    $functions['test.echo_test'] = array('function' => array($this,'echo_test'));
    
    parent::xmlrpc_server($functions,0);
  }
  function send_response($resp)
  {
    $val_resp = php_xmlrpc_encode($resp);
    return new xmlrpcresp($val_resp);
  }
  
  #test functions
  function test()
  {
    #$response = array(date('d/m/Y H:i:s'),'string');
    $response = date('d/m/Y H:i:s');
    return $this->send_response($response);
  }
  function echo_test($request)
  {
    $params = php_xmlrpc_decode($request);
    $response = 'you said : "'.$params[0].'"';
    return $this->send_response($response);
  }

}

?>

the folder APPPATH/libraries/xmlrpc contain the xmlrpc files.

usage example :
client :

Code:

$server_url = 'http://username:[email protected]/index.php?/rpc/xmlrpc_srv';
$this->load->library('xmlrpc_sf',array($server_url));
    
$this->xmlrpc_sf->setRequestCompression('gzip');
$this->xmlrpc_sf->setAcceptedCompression('gzip');
$this->xmlrpc_sf->request_charset_encoding = 'UTF-8';

$this->xmlrpc_sf->request();
$this->xmlrpc_sf->method('test.test');
$response = $this->xmlrpc_sf->send_request();
echo $this->xmlrpc_sf->display_response();

$this->xmlrpc_sf->request('this is a string');
$this->xmlrpc_sf->method('my.function');
$response = $this->xmlrpc_sf->send_request();
echo $this->xmlrpc_sf->display_response();

server:

Code:

<?php

class Xmlrpc_srv extends Controller {

    function Xmlrpc_srv()
    {
        parent::Controller();    
        
        $RPC_USER = "username";
    $RPC_PASSWORD = "password";
        
      #Authentification

    $user = $this->input->server('PHP_AUTH_USER');
    $password = $this->input->server('PHP_AUTH_PW');
    if ($user != $RPC_USER OR $password != $RPC_PASSWORD){
      Header('WWW-Authenticate: Basic realm="rpc"');
      Header('HTTP/1.0 401 Unauthorized');
      exit();
    }

    }
        function index()
    {

  
    $functions = array();
$functions['my.function'] = array('function' => array($this,'sample_function'));
              
    $this->load->library('xmlrpcs_sf',$functions);
        $this->xmlrpcs_sf->service();
    }
function sample_function($request)
  {
    $params = php_xmlrpc_decode($request);
    $response = 'you said : "'.$params[0].'"';
    return $this->send_response($response);
  }
?>

[eluser]iDVB[/eluser]
Is this really a reliable/secure way to authenticate? Can't someone just sniff your user name and pass?

I'm also currently looking for an XML-RPC authentication method.

[eluser]sramage[/eluser]
Hi !
it's just an HTTP Basic Authentification so someone can sniff the username and password just like a website that use basic HTTP Authentification.
If you want an more secure system, maybe you need to use ssl.

[eluser]WebMada[/eluser]
I don't understand the problem in this topic: Why don't using the XML RPC library coming with CI?

In fact, is not there a system of session, token and authentication in XML RPC?