XMLRPC and HTTP authentication
ducktape - October 17, 2008 - 08:03
| Project: | Secure Site |
| Version: | 5.x-1.5 |
| Component: | Documentation |
| Category: | support request |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Description
I have recently run into some problems with XMLRPC, which were caused by Secure Site.
Simply put, when Secure Site is enabled, XMLRPC is not possible any more. I had the problem with my own xmlrpc module, but I have also tested with Services module.
I've checked the module and I can see there is an exclusion for cron.php. I suppose the same should be done for xmlrpc.php, unless there's a reason not to do it.
#1
Personally I am not really comfortable with the cron exclusion. With better documentation users should be able to set up cron to authenticate every time it runs. However, allowing cron to run anonymously is not a big issue because the user does not control anything. Allowing XMLRPC to run anonymously would be very different.
If you specify the XMLRPC client you are using, I can help you find a way to authenticate your connection.
#2
Im using Drupal's XMLRPC actually, to copy content from one site to another.
I suppose doing a post request to the login url should fix my problems then?
#3
I'm not aware of a Drupal XMLRPC client module. If you are using the XMLRPC API module, the module page explains how to do HTTP authentication.
#4
Here is some CURL code I stumbled upon a while ago, I have not used or even tested it, but in theory it should allow for HTTPS + HTTP AUTH requests.
This might be a way of authenticating a XMLRPC request when securesite is enabled with HTTP AUTH.
If you have curl installed and you are not using another API / library / module this could be something worth looking into.
Hope it helps.
<?php
// Initialize cURL session
$curl = curl_init();
// Specify the username/password to use, or leave blank for no auth $user = "username"; $password = "password";
// destination url
$url = "https://www.example.com/cron.php";
// Set cURL parameters for this transaction
// Load in the destination URL
curl_setopt($curl, CURLOPT_URL, $url);
// tell cURL we're doing a PUT
curl_setopt($curl, CURLOPT_PUT, TRUE);
// Place a nice friendly user-agent
curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/4.0");
// return the output instead of displaying it curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
// provide credentials if they're established at the beginning of the script
if(!empty($user) && !empty($password)) {
curl_setopt($curl, CURLOPT_USERPWD, $user . ":" . $password);
}
// tell cURL to graciously accept an SSL certificate if presented
if(ereg("^(https)", $url)) {
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, TRUE);
}
// execute
$result = curl_exec($curl);
// Tidy up!
curl_close($curl);
?>
#5
I assume one of our suggestions worked.
#6
The problem is in _xmlrpc(). It hard-codes the headers array given to drupal_http_request(). A work-around would be to write your own version of _xmlrpc().
#7
Patch attached.
#8
Clarified example.
#9
The credentials may also be specified in the URL, i.e. http://peter:secret@example.com/xmlrpc.
#10
Can we add some more code comments -- it is not obvious that we do the shifting to support authentication.
#11
c960657 showed that this is not necessary in comment #9. As I cannot think of other cases where it is necessary to send custom headers in XMLRPC requests, I'm moving this back to the Secure Site documentation queue.
#12
Fixed in revision 631594.
#13
Automatically closed -- issue fixed for 2 weeks with no activity.