| Andrew Cooke | Contents | Latest | RSS | Twitter | Previous | Next

C[omp]ute

Welcome to my blog, which was once a mailing list of the same name and is still generated by mail. Please reply via the "comment" links.

Always interested in offers/projects/new ideas. Eclectic experience in fields like: numerical computing; Python web; Java enterprise; functional languages; GPGPU; SQL databases; etc. Based in Santiago, Chile; telecommute worldwide. CV; email.

Personal Projects

Lepl parser for Python.

Colorless Green.

Photography around Santiago.

SVG experiment.

Professional Portfolio

Calibration of seismometers.

Data access via web services.

Cache rewrite.

Extending OpenSSH.

C-ORM: docs, API.

Last 100 entries

Calling C From Fortran 95; Bjork DJ Set; Z3 Example With Python; Week 1; Useful Guide To Starting With IJulia; UK Election + Media; Review: Reinventing Organizations; Inline Assembly With Julia / LLVM; Against the definition of types; Dumb Crypto Paper; The Search For Quasi-Periodicity...; Is There An Alternative To Processing?; CARDIAC (CARDboard Illustrative Aid to Computation); The Bolivian Case Against Chile At The Hague; Clear, Cogent Economic Arguments For Immigration; A Program To Say If I Am Working; Decent Cards For Ill People; New Photo; Luksic And Barrick Gold; President Bachelet's Speech; Baltimore Primer; libxml2 Parsing Stream; configure.ac Recipe For Library Path; The Davalos Affair For Idiots; Not The Onion: Google Fireside Chat w Kissinger; Bicycle Wheels, Inertia, and Energy; Another Tax Fraud; Google's Borg; A Verion That Redirects To Local HTTP Server; Spanish Accents For Idiots; Aluminium Cans; Advice on Spray Painting; Female View of Online Chat From a Male; UX Reading List; S4 Subgroups - Geometric Interpretation; Fucking Email; The SQM Affair For Idiots; Using Kolmogorov Complexity; Oblique Strategies in bash; Curses Tools; Markov Chain Monte Carlo Without all the Bullshit; Email Para Matias Godoy Mercado; The Penta Affair For Idiots; Example Code To Create numpy Array in C; Good Article on Bias in Graphic Design (NYTimes); Do You Backup github?; Data Mining Books; SimpleDateFormat should be synchronized; British Words; Chinese Govt Intercepts External Web To DDOS github; Numbering Permutations; Teenage Engineering - Low Price Synths; GCHQ Can Do Whatever It Wants; Dublinesque; A Cryptographic SAT Solver; Security Challenges; Word Lists for Crosswords; 3D Printing and Speaker Design; Searchable Snowden Archive; XCode Backdoored; Derived Apps Have Malware (CIA); Rowhammer - Hacking Software Via Hardware (DRAM) Bugs; Immutable SQL Database (Kinda); Tor GPS Tracker; That PyCon Dongle Mess...; ASCII Fluid Dynamics; Brandalism; Table of Shifter, Cassette and Derailleur Compatability; Lenovo Demonstrates How Bad HTTPS Is; Telegraph Owned by HSBC; Smaptop - Sunrise (Music); Equation Group (NSA); UK Torture in NI; And - A Natural Extension To Regexps; This Is The Future Of Religion; The Shazam (Music Matching) Algorithm; Tributes To Lesbian Community From AIDS Survivors; Nice Rust Summary; List of Good Fiction Books; Constructing JSON From Postgres (Part 2); Constructing JSON From Postgres (Part 1); Postgres in Docker; Why Poor Places Are More Diverse; Smart Writing on Graceland; Satire in France; Free Speech in France; MTB Cornering - Where Should We Point Our Thrusters?; Secure Secure Shell; Java Generics over Primitives; 2014 (Charlie Brooker); How I am 7; Neural Nets Applied to Go; Programming, Business, Social Contracts; Distributed Systems for Fun and Profit; XML and Scheme; Internet Radio Stations (Curated List); Solid Data About Placebos; Half of Americans Think Climate Change Is a Sign of the Apocalypse; Saturday Surf Sessions With Juvenile Delinquents; Ssh, tty, stdout and stderr; Feathers falling in a vacuum; Santiago 30m Bike Route

© 2006-2015 Andrew Cooke (site) / post authors (content).

Basic HTTP Authentication with XMLRPC in Python

From: "andrew cooke" <andrew@...>

Date: Wed, 31 Dec 2008 17:42:05 -0300 (CLST)

I couldn't find anywhere on the 'net that clearly documented this - there
are various old discussions, but they tend to be out of date.  So here's a
brief sketch of what works.

[Note that HTTP basic authentication - RFC 2617
http://www.faqs.org/rfcs/rfc2617.html - effectively sends username and
password as cleartext.  This is not secure.  As far as I can tell, digest
authentication is not supported, so a more secure (but more complex)
solution would involve SSL (a possible compromise would be basic auth over
SSL, which would only require a server certificate, but which has its own
limitations).]

On the client side, nothing is needed except that username and password
should be placed in the URL used.  The libraries used by xmlrpclib will
construct the correct HTTP header (see below).  So the client code is
simply:

  import xmlrpclib
  server = xmlrpclib.ServerProxy('http://user:pass@...')
  ...

But, obviously, a more typical use case would supply dynamic values.

This generates the Authorization HTTP header, with the format (RFC 2617):

  Authorization: Basic Zm9vOmJhcg==

where Zm9vOmJhcg== is the base64 encoding of, in this case, "foo:bar"
(username and password).  So validation is trivial once this header is
retrieved:

  from base64 import b64decode
  ...
  (basic, _, encoded) = \
    headers.get('Authorization').partition(' ')
  assert basic == 'Basic', 'Only basic authentication supported'
  (username, _, password) = b64decode(encoded).partition(':')
  assert username == 'foo'
  assert password == 'bar'

The only remaining part of the puzzle, then, is how to get the headers. 
Poking around in the source it seems that it is necessary to override
BaseHTTPServer.BaseHTTPRequestHandler.parse_request (which is subclassed
bySimpleXMLRPCServer.SimpleXMLRPCRequestHandler).

So a suitable server class would look like:


  from SimpleXMLRPCServer import SimpleXMLRPCServer, \
    SimpleXMLRPCRequestHandler

  class VerifyingServer(SimpleXMLRPCServer):

    def __init__(self, ..., *args, **kargs):
      # we use an inner class so that we can call out to the
      # authenticate method
      class VerifyingRequestHandler(SimpleXMLRPCRequestHandler):
        # this is the method we must override
        def parse_request(myself):
          # first, call the original implementation which returns
          # True if all OK so far
          if SimpleXMLRPCRequestHandler.parse_request(myself):
            # next we authenticate
            if self.authenticate(myself.headers):
              return True
            else:
              # if authentication fails, tell the client
              myself.send_error(401, 'Authentication failed')
          return False
      # and intialise the superclass with the above
      SimpleXMLRPCServer.__init__(self,
        requestHandler=VerifyingRequestHandler,
        *args, **kargs)

    def authenticate(self, headers):
      # see earlier

Note the distinction between "self" and "myself" above.

Andrew

Comment on this post