On Wed, 2002-10-23 at 04:49, NAKAMURA, Hiroshi wrote:
> Hi,
> 
> > From: Daniel Berger
> > Sent: Wednesday, October 23, 2002 5:58 AM
> 
> > I want to implement some very basic security for an XMLRPC server.  My
> > first filter was going to be to restrict access by IP 
> > address.  Is there
> > a way to snag the client's IP from an XMLRPC::Server object 
> > from wthin a
> > service hook?  I listed the object methods, but nothing stood 
> > out at me.
> 
> GServer(which is a base of HttpServer which is a base
> of XMLRPC::*Servers) does not have functionalities about
> authentication/authorization (same as standaloneServer
> of SOAP4R, BTW).
> 
> Can you run your server with XMLRPC::CGIServer on WEBrick,
> Apache or some httpd?  Those httpds have IP-based/BasicAuth
> authentication/authorization functionalities.

There's also a WEBrickServlet server for xmlrpc4r.
Maybe this helps.

> Doubt me... WEBrick might not have IP-based restriction
> function by default.
> 
> > If not, I'd like to see that functionality added.
> 
> MNeumann: how do you think?

I've added a ip_auth_handler method in class Server, which is called
from method serve (in httpserver.rb) before request_handler is called.
This method should return true if the client is allowed to connect,
otherwise false.
This way, you can simply override Server#ip_auth_handler to perform
IP-based restrictions.

What's the right status code when IP auth disallows access? 
405 - Method not allowed?


Regards,

  Michael