NYCPHP Meetup

NYPHP.org

[nycphp-talk] Authentication with XML-RPC

Jayesh Sheth jayeshsh at ceruleansky.com
Sat Jun 12 09:56:40 EDT 2004


Hello Adam and Max,

thanks very much for your responses to my question regarding 
authentication with XML-RPC. Sorry for the delayed response.

Adam, I just posted a review to Amazon. It might take a while to appear, 
but here is what I wrote:

----
David Sklar has written a book on a subject that most other PHP authors 
have ignored, and which many PHP programmers have failed to consider: 
how using pre-made, existing libraries effectively can save you hours of 
writing (and re-writing) PHP code.

There are many external libraries available to PHP, some under the PEAR 
brand ( http://pear.php.net ) and others by individual authors or 
companies.

If you would like to automate the creation, processing and validatin of 
form processing, there's HTML_QuickForm. If you'd like to implement a 
templating system to separate presentation logic from other programming 
logic, there's Smarty. If you would like to setup a lightweight, yet 
completely usable and effective web services platform, there's the PEAR 
XML-RPC library.

In many of these case, the online documentation is too complicated or 
technical (e.g. HTML_QuickForm) or too skimpy (PEAR XML-RPC). Enter 
David Sklar's book!

David uses concise, clear language with plenty of examples to explain 
how a certain library works. He goes through it step-by-step, first with 
a paragraph of descriptive text, then with a snippet of code elucidating 
what was previously mentioned.

He manages to cover just enough ground to enable you to grasp how to use 
a certain library without boring you to tears with extraneous, 
non-essential information.

If you would like to avoid re-inventing the wheel and the  introduction 
of bugs (that almost always follows the insertion of new, untested 
code), I suggest you procure a copy of Essential PHP Tools today, and 
read it cover-to-cover!
----

Max, thank you for your offer of examples and help. Any examples that 
you can provide would be helpful, but I did uncover something 
interesting at the PEAR website documentation page for the XML-RPC 
library ( 
http://pear.php.net/manual/en/package.webservices.xml-rpc.api.php ):

there is a setCredentials method, which (apparently) allows you to 
specify the username and password required to POST to an htaccess 
protected PHP (XML-RPC Server) file -

"setCredentials

$client->setCredentials ($username, $password)

This method sets the username and password for authorizing the client to 
a server. With the default (HTTP) transport, this information is used 
for HTTP Basic authorization."

I hope I am understanding this correctly. If I did, then I think it 
would work like this. Suppose I uploaded the XML-RPC server part of the 
script to http://www.mydomain.com/server/server.php
then I would have to protect the files in the "server" directory with an 
htaccess username and password. Then, when the client version of the 
XML-RPC script (say, residing on http://localhost/client/client.php) 
tries to POST an XML request to 
http://www.mydomain.com/server/server.php, it will need to know the 
htacess username and password in order to do so.

Here is the relevant code from the XML-RPC class (with only some 
relevant information left in):

------
[from RPC.php]

function setCredentials($u, $p)
     {
         $this->username = $u;
         $this->password = $p;
     }
  // [...]

function sendPayloadHTTP10($msg, $server, $port, $timeout=0,
                                $username = "", $password = "")
     {

  // [...]

         $credentials = "";
         if ($username != "") {
             $credentials = "Authorization: Basic " .
                 base64_encode($username . ":" . $password) . "\r\n";
         }

   // [...]
   }

------

Initially I was worried about maintaining "state" so that the XML-RPC 
client would not have to resend the password each time to the XML-RPC 
server. But, then I realized that when a browser accesses an htaccess 
protected site, it just caches the username and password and resends it 
on each request to the site. So, since the XML-RPC client is a PHP 
script too, it can also (conceivably) read the username and password and 
resend it each time an XML POST is made.

Sytems like PEAR's Auth library use cookies / sessions to keep track of 
logged in users, and users do not want to keep reentering their 
usernames and passwords. But in the case of a programmatic XML-RPC 
client, maybe this simple approach will work ...

I still have not tried any of this yet, but I plan to base my prototype 
on this good article by Harry Fuecks:

http://www.sitepoint.com/print/own-web-service-php-xml-rpc

He is using Keith Devens' library - but Fueck's sample code does not 
work on my  version of PHP (4.3.2). Something about ... "Call-time 
pass-by-reference" having been "deprecated". I am not sure what that is 
all about (I probably should know ...), but if anyone has an idea, 
please let me know.

Sorry for being long-winded here - but I had a lot of stuff to get in. 
Maybe I should have made multiple emails for each subject. Next time (I 
promise).

Best Regards,

- Jay


-- 
Cerulean Sky Creations, LLC
http://www.ceruleansky.com




More information about the talk mailing list