[Zope] Security + XMLRPC
Phillip J. Eby
pje@telecommunity.com
Tue, 12 Oct 1999 14:00:17 -0500
At 03:16 AM 10/13/99 +0800, chas wrote:
>
>c) The data/information itself. Since there is no authentication
> with XMLRPC,
Not true. Authentication is simply not part of the XMLRPC standard; any
HTTP-based authentication mechanism can be used, including cookies and
Basic authentication. You just have to add the appropriate headers to your
POST, and the receiving server has to be able to handle it. Zope certainly
can do this.
For both encryption and authentication purposes, however, using SSL would
probably be a good idea, especially if you can make use of client
certificates, which can a pretty strong authentication method compared to
passwords and the like. Zope can make use of these too, if you write an
appropriate UserFolder class based on certificate DN's.