[Zope-dev] XMLRPC and Basic Auth problems

Tim Hoffman timhoffman@cams.wa.gov.au
15 Aug 2002 10:51:37 +0800 

I have had further from Adam Megacz <adam@megacz.com> the author of XWT
on this issue.

I believe I should raise a collector issue on this, however do 
people believe this is a correct assessment of the situation.


======================================================================
Tim Hoffman <timhoffman@cams.wa.gov.au> writes:
> The xmlrpc spec doesn't say anything about authentication.
> ...
> I suppose this whole area is pretty vague.

Actually, it references the HTTP spec, which is quite clear about
requiring a 401.

  http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2

Without the 401, you don't know the authentication realm,
authentication type, or digest nonce -- three things you need to know
in order to authenticate (although the last one is only needed for
Digest auth, not Basic Auth).

Unfortunately, it seems that a lot of XML-RPC libraries are broken in
this manner. I'm working with the Apache people right now on fixing
the Java libraries -- could you please work with the Python people to
get this fixed?

I think this is a result of the fact that HTTP Auth isn't used very
often in XML-RPC, although it should be. I'm working on an RFC for
XML-RPC, and I will certainly include some wording which underscores
the importance of the 401 response.

    http://www.xwt.org/xmc/draft-megacz-xmc-05.txt

  - a

-- 
Sick of HTML user interfaces?
www.xwt.org
=========================================================================



On Thu, 2002-08-15 at 10:47, Tim Hoffman wrote:
> Hi
> 
> I am working on a project that uses XWT (xwt.org) as a frontend to Zope.
> 
> XWT uses XMLRPC to communicate with a backend (in this case Zope).
> 
> XWT expects an Error 401 is authentication is required on an XMLRPC
> call, so that it can negotiate the correct auth method 
> 
> The author of XWT sent the following email to me
> 
> >Tim, I've got a piece of the answer -- your server needs to return an
> >HTTP 401 (Unauthorized) if no username/password is provided. This
> >response includes the challenge that XWT needs in order to build an
> >authentication request (realm, digest nonce challenge, etc).
> 
> However what Zope is doing is sending back a <fault> in the 
> XMLRPC <methodResponse> packet. 
> 
> So it appears to me that Zope doesn't send a http response 401 for 
> XMLRPC (over http), but will send a 401 back to the browser.
> 
> XMLRPC doesn't say anything about authentication, so I suppose either
> method is acceptable. However because XMLRPC is implemented 
> on top of http, I would have thought a http approach (ie error 401)
> would be used.
> 
> It appears that this behaviour is fundamental to Zope and is not an
> artifact of cookie auth in CMF etc..
> 
> Is this really correct behaviour ?
> 
> Regards
> 
> Tim Hoffman
> 
> 
>  
> 
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )