This patch adds an authentication to drupal's web service so clients accessing xmlrpc.php don't always have to be Anonymous. Implementation is simple:
1. Client requests an authentication token, basically a session id
2. Drupal checks their crudentials (username/password) (system.getToken) and returns a token (same as a PHP session id). This is the same as a login through user/login, the current session id (Anonymous) becomes a user.
3. All subsequent requests sent by the web service client go to: /xmlrpc.php?token={session id}
4. xmlrpc.php was modified to recreate the session with the logged in user.
5. Unrelated, but felt compelled to fix. At the end of an anonymous xml-rpc request, the record from {sessions} is removed from the db. Not sure if this would break anybody's functionality, but it seems strange to me to keep that session id around.
Comment | File | Size | Author |
---|---|---|---|
#3 | xmlrpc_5.1.patch | 2.47 KB | ivanfi |
xmlrpc_10.patch | 2.64 KB | phrax | |
Comments
Comment #1
moshe weitzman CreditAttribution: moshe weitzman commentedthis looks like a reasonable implementation to me ... i don't like #5 since some modules rely on session data even for anon users.
Comment #2
coreb CreditAttribution: coreb commentedComment #3
ivanfi CreditAttribution: ivanfi commentedI have tried to apply this patch on Drupal 5.1, but I had to make some small modifications to make it work. See the attached patch, which is an updated version of the original, although without item #5 of the original post.
Comment #4
ivanfi CreditAttribution: ivanfi commentedI'm setting back the version to 6.x-dev, since I did not mean to make this a feature request for 5.1, just wanted to share the patch for Drupal 5.1 in case somebody needs it.
Comment #5
catchNo longer applies.
Comment #6
moshe weitzman CreditAttribution: moshe weitzman commentedIdeally Drupal will implement the new OAuth spec for this - http://oauth.net/
Comment #7
Zothos CreditAttribution: Zothos commentedOAuth doenst seem to be ready at the moment. But its a real nice idea definitly something for drupal 7
Comment #8
ankit_singh CreditAttribution: ankit_singh commentedHi Guys
I am sorry I dont have so much deep knowledge in Technical like you guys.
I am currently facing 1 problem.
I am using Drupal 5.7 version now and i made 3 websites for different purposes but now i am thinking of making some web service in Java Which will provide a common login for all 3 websites.
Now i am reading about Service module but still cant figure it out how to implement it.
So is it possible to do like this and please can anybody guide me and how i should implement this patch??
Quick reply will be really appreciated.
Thanks to all in advance.
REgards
Ankit
Comment #9
catchAnkit, please don't hijack hijack old issues for new support requests. A list of places to find support can be found at http://drupal.org/support
Comment #10
greg.harveyThis effort is being duplicated by the Services module, which doesn't seem sensible. Have you had a look at the User Service?
http://drupal.org/project/services
Comment #11
moshe weitzman CreditAttribution: moshe weitzman commentedIt is quite common for functionality to start in Contrib and then find its way to core. Quite sensible, and common.
Comment #12
greg.harveyOh, yes - I don't dispute that for an instant - but these seem to be separate efforts, not contrib becoming core...? I'm suggesting there could be some liaison with the Services guys - I'm not making any comment on development paths in general... just this one.
It might be that the Services guys can remove their login/logout methods from their D7 version, but if there's no communication and you're both building the same thing...! See my point?
Comment #15
eeriepanda CreditAttribution: eeriepanda commentedMany xmlrpc clients support cookies, why not just user_xmlrpc() {} and write a user_login wrapper function for it.
Comment #16
catchMoving to D8.
Comment #17
sanseo CreditAttribution: sanseo commentedHi
i have just configure a drupal a/c here http://webhosting.ueuo.com/drupal/
but after login admin a/c a m not able to do anything,
always massage come "You are not authorized to access this page."
will u help me............
Comment #18
fgm@eeriepanda #15: because, as your own comment implies, some xml-rpc clients do /not/ support cookies.
This being said I think we will need to have a serious discussion as soon as reasonable (too bad it couldn't be during DC Chicago) about what we are doing in D8 to unify the usual browser login, OAuth access, and the various web services implementations, from core xml-rpc to the still-vaporware rpc-over-smtp or native SOAP over HTTP, through all the features in Services module, including services and servers.
@sanseo #17 : this does not seem to be related to this issue, does it ?
Comment #19
dawehnerComment #20
Wim LeersBy now, this is a duplicate of #2403307: RPC endpoints for user authentication: log in, check login status, log out.