I need to make an XMLRPC request that has to be authenticated, and have found limited documentation on the authentication side of XMLRPC. What's the best way to go about this? Right now I'm using the code below but still getting an authentication failure. Is there a different way to specify the client, then call a secondary auth method?
client = XMLRPC::Client.new(@xmlrpc_url, "/xmlrpc.php", "443", nil, nil, @username, @password, true, 900)
...I'm using the code below but still getting an authentication failure
Double-check that the remote webserver is accepting HTTP Basic Authentication for the resource /xmlrpc.php, and that it further accepts your @username and @password.
Per the docs, your XMLRPC incantation for an RPC client.call("bwizzy") will generate something with Basic Auth like this:
POST /xmlrpc.php HTTP/1.1
User-Agent: XMLRPC::Client (Ruby 1.9.1)
Content-Type: text/xml; charset=utf-8
Content-Length: 88
Connection: keep-alive
Authorization: Basic c3RhY2s6b3ZlcmZsb3c=
Accept: */*
Host: localhost
<?xml version="1.0"><methodCall><methodName>bwizzy</methodName></params></methodCall>
(Please don't complain to me about the order of those headers -- that's what I see on the wire! :))
Now, XML-RPC does not itself provide for authentication, so you have a few general options:
Use typical "web auth" techniques
HTTP Authorization schemes, like you are currently using. Trusted client-side certs. Cookie authentication tokens. Etc.
Typical web auth techniques carry common risks, however. Poke around SO for more guidance here.
Extend the RPC functions to support user-defined auth
For example, the RPC call bwizzy might take a username and password as arguments.
Or a login RPC function might generate a time-limited token to be used as a Cookie.
This approach is invasive -- now your RPC calls have to be auth-aware -- and error-prone -- now you have to implement auth yourself.
Extend XML-RPC itself
The XML RPC calls could be themselves signed or signed and encrypted, for example, ala SOAP's digital signatures