Trac XmlRpcPlugin and HTTP digest authentication
389 views
Skip to first unread message
Olemis Lang
Feb 15, 2012, 11:31:05 AM2/15/12
to trac-users
Hi !
I was looking for feedback just to know if somebody's been able to
setup XmlRpcPlugin and make it work with HTTP digest authentication .
I look forward to your reply . Thanks in advance !
--
Regards,
Olemis
Facebook => http://www.facebook.com/olemis
Twitter => http://www.twitter.com/olemislc (@olemislc)
Blog ES => http://simelo-es.blogspot.com
Blog EN => http://simelo-en.blogspot.com
Quora => http://www.quora.com/olemis
Youtube => http://youtube.com/user/greatsoftw
Featured article : Identificando números primos con expresión regular en Perl
http://feedproxy.google.com/~r/simelo-news/~3/BHr859OSndo/identificando-numeros-primos-con.html
Tweet: yo no puedo creer q haya pasado inadvertido el 1/2/12 12:12 ...
@elainediaz2003 no dijo na' ... OMG ! ... much more coming soon ;) #fb
Follow @olemislc Reply Retweet 12:59 Feb-01
Get this email app!
Get a signature like this. CLICK HERE.
osimons
Feb 15, 2012, 1:58:14 PM2/15/12
to Trac Users
On Feb 15, 5:31 pm, Olemis Lang <ole...@gmail.com> wrote:
> I was looking for feedback just to know if somebody's been able to
> setup XmlRpcPlugin and make it work with HTTP digest authentication .
>
> I look forward to your reply . Thanks in advance !
Hi Olemis,
> I was looking for feedback just to know if somebody's been able to
> setup XmlRpcPlugin and make it work with HTTP digest authentication .
>
> I look forward to your reply . Thanks in advance !
There is no problem using the RPC plugin with digest auth - or any
particular other auth for that matter. The RPC plugin just uses what
it gets from Trac, and if Trac can authenticate then the plugin is
fine with that.
The real problem is that CLIENTS generally don't support digest auth,
or any other particular auth mechanism other than lowest common
denominator: Basic Authentication. So something like Python xmlrpclib
only supports Basic auth. However, if you were to build a custom
client that provides its own authentication handlers, all should be
fine. Other clients for other platforms like Java, .Net or whatever
may support further mechanisms - including Digest. I don't know. But
in the end it all depends on the client.
If you configure a project with digest auth, you should have no
problem using curl to make authenticated calls to a Trac /rpc handler.
"man curl" for all details of curl options... :-)
:::simon
https://www.coderesort.com
http://trac-hacks.org/wiki/osimons
Olemis Lang
Feb 15, 2012, 2:57:35 PM2/15/12
to trac-...@googlegroups.com
On Wed, Feb 15, 2012 at 1:58 PM, osimons <odds...@gmail.com> wrote:
> On Feb 15, 5:31 pm, Olemis Lang <ole...@gmail.com> wrote:
>> I was looking for feedback just to know if somebody's been able to
>> setup XmlRpcPlugin and make it work with HTTP digest authentication .
>>
>> I look forward to your reply . Thanks in advance !
>
> Hi Olemis,
>
> On Feb 15, 5:31 pm, Olemis Lang <ole...@gmail.com> wrote:
>> I was looking for feedback just to know if somebody's been able to
>> setup XmlRpcPlugin and make it work with HTTP digest authentication .
>>
>> I look forward to your reply . Thanks in advance !
>
> Hi Olemis,
>
:)
> There is no problem using the RPC plugin with digest auth - or any
> particular other auth for that matter. The RPC plugin just uses what
> it gets from Trac, and if Trac can authenticate then the plugin is
> fine with that.
>
> The real problem is that CLIENTS generally don't support digest auth,
> or any other particular auth mechanism other than lowest common
> denominator: Basic Authentication.
oh ! now I see .
> So something like Python xmlrpclib
> only supports Basic auth. However, if you were to build a custom
> client that provides its own authentication handlers, all should be
> fine. Other clients for other platforms like Java, .Net or whatever
> may support further mechanisms - including Digest. I don't know. But
> in the end it all depends on the client.
>
> If you configure a project with digest auth, you should have no
> problem using curl to make authenticated calls to a Trac /rpc handler.
> "man curl" for all details of curl options... :-)
>
Thnx for the pointer
;)
Feuermurmel
Aug 26, 2013, 11:45:18 AM8/26/13
to trac-...@googlegroups.com
Hi Simon
On Wednesday, February 15, 2012 7:58:14 PM UTC+1, osimons wrote:
There is no problem using the RPC plugin with digest auth - or any
particular other auth for that matter. The RPC plugin just uses what
it gets from Trac, and if Trac can authenticate then the plugin is
fine with that.
The real problem is that CLIENTS generally don't support digest auth,
or any other particular auth mechanism other than lowest common
denominator: Basic Authentication. So something like Python xmlrpclib
only supports Basic auth. However, if you were to build a custom
client that provides its own authentication handlers, all should be
fine. Other clients for other platforms like Java, .Net or whatever
may support further mechanisms - including Digest. I don't know. But
in the end it all depends on the client.
If you configure a project with digest auth, you should have no
problem using curl to make authenticated calls to a Trac /rpc handler.
"man curl" for all details of curl options... :-)
Are you sure? I'm not getting the XMLRPC interface to work using curl and digest authentication:
$ curl --data '<?xml version="1.0"?><methodCall><methodName>wiki.getPage</methodName><params><param><value><string>SandBox</string></value></param></params></methodCall>' --header 'Content-Type: text/xml' --digest --user "$user:$password" --dump-header - 'http://localhost:8080/login/xmlrpc'
HTTP/1.1 200 OK
Server: tracd/1.0.1 Python/2.6.8
Date: Mon, 26 Aug 2013 15:41:31 GMT
Content-Type: text/xml
Content-Length: 294
Set-Cookie: trac_session=67c4ffa3973fdfb495fd3d29; expires=Sun, 24-Nov-2013 15:41:31 GMT; httponly; Path=/
HTTP/1.1 200 OK
Server: tracd/1.0.1 Python/2.6.8
Date: Mon, 26 Aug 2013 15:41:31 GMT
Content-Type: text/xml
Content-Length: 356
Set-Cookie: trac_session=ac78955d5ab422c55597d41d; expires=Sun, 24-Nov-2013 15:41:31 GMT; httponly; Path=/
<?xml version='1.0'?>
<methodResponse>
<fault>
<value><struct>
<member>
<name>faultCode</name>
<value><int>403</int></value>
</member>
<member>
<name>faultString</name>
<value><string>XML_RPC privileges are required to perform this operation. You don't have the required permissions.</string></value>
</member>
</struct></value>
</fault>
</methodResponse>
It seems that the XmlRpcPlugin will return a 200 OK status code even if authentication is required. Shouldn't it send a different status code so curl known that it should send the authentication data to the server?
Thanks
Michael
Olemis Lang
Aug 26, 2013, 12:16:45 PM8/26/13
to trac-...@googlegroups.com
On 8/26/13, Feuermurmel <michi....@gmail.com> wrote:
> Hi Simon
>
> On Wednesday, February 15, 2012 7:58:14 PM UTC+1, osimons wrote:
>>
>> There is no problem using the RPC plugin with digest auth - or any
>> particular other auth for that matter. The RPC plugin just uses what
>> it gets from Trac, and if Trac can authenticate then the plugin is
>> fine with that.
>>
>> The real problem is that CLIENTS generally don't support digest auth,
>> or any other particular auth mechanism other than lowest common
>> denominator: Basic Authentication. So something like Python xmlrpclib
>> only supports Basic auth. However, if you were to build a custom
>> client that provides its own authentication handlers, all should be
>> fine. Other clients for other platforms like Java, .Net or whatever
>> may support further mechanisms - including Digest. I don't know. But
>> in the end it all depends on the client.
>>
>> If you configure a project with digest auth, you should have no
>> problem using curl to make authenticated calls to a Trac /rpc handler.
>> "man curl" for all details of curl options... :-)
>>
>
> Are you sure?
I do (and I'm sure of the fact that osimons will) . I use this on a
> Hi Simon
>
> On Wednesday, February 15, 2012 7:58:14 PM UTC+1, osimons wrote:
>>
>> There is no problem using the RPC plugin with digest auth - or any
>> particular other auth for that matter. The RPC plugin just uses what
>> it gets from Trac, and if Trac can authenticate then the plugin is
>> fine with that.
>>
>> The real problem is that CLIENTS generally don't support digest auth,
>> or any other particular auth mechanism other than lowest common
>> denominator: Basic Authentication. So something like Python xmlrpclib
>> only supports Basic auth. However, if you were to build a custom
>> client that provides its own authentication handlers, all should be
>> fine. Other clients for other platforms like Java, .Net or whatever
>> may support further mechanisms - including Digest. I don't know. But
>> in the end it all depends on the client.
>>
>> If you configure a project with digest auth, you should have no
>> problem using curl to make authenticated calls to a Trac /rpc handler.
>> "man curl" for all details of curl options... :-)
>>
>
> Are you sure?
regular basis , but requires the correct config ; might br tricky .
> I'm not getting the XMLRPC interface to work using curl and
> digest authentication:
>
interactions that can make this fails , especially if you are using
AccountManagerPlugin together with server (e.g. apache2) digest auth
handlers then check this out
http://trac-hacks.org/wiki/XmlRpcPlugin#ProblemswhenAccountManagerPluginisenabled
> $ curl --data '<?xml
> version="1.0"?><methodCall><methodName>wiki.getPage</methodName><params><param><value><string>SandBox</string></value></param></params></methodCall>'
>
> --header 'Content-Type: text/xml' --digest --user "$user:$password"
> --dump-header - 'http://localhost:8080/login/xmlrpc'
>
> It seems that the XmlRpcPlugin will return a 200 OK status code even if
> authentication is required.
Actually what (I think that) is happening there is that user
> It seems that the XmlRpcPlugin will return a 200 OK status code even if
> authentication is required.
authentication succeeded but Trac did not not detect the REMOTE_USER ,
thus falling back to anonymous login .
> Shouldn't it send a different status code so
> curl known that it should send the authentication data to the server?
>
- What's the HTTP server ?
- Digest auth is enabled , what about anonymous access ?
* If there's anonymous access to /login/... is forbidden then you'll
get expeted HTTP error status .
- Have you tried using an invalid password or non-existent user ?
[...]
--
Regards,
Olemis - @olemislc
Apache™ Bloodhound contributor
http://issues.apache.org/bloodhound
http://blood-hound.net
Blog ES: http://simelo-es.blogspot.com/
Blog EN: http://simelo-en.blogspot.com/
Featured article:
Feuermurmel
Aug 27, 2013, 7:33:30 AM8/27/13
to trac-...@googlegroups.com
On Monday, August 26, 2013 6:16:45 PM UTC+2, olemis wrote:
What other plugins have you deployed ? There are a number of
interactions that can make this fails , especially if you are using
AccountManagerPlugin together with server (e.g. apache2) digest auth
handlers then check this out
http://trac-hacks.org/wiki/XmlRpcPlugin#ProblemswhenAccountManagerPluginisenabled
I have the AccountManagerPlugin installed, sorry that I didn't mention it. I did follow the advice and added environ_auth_overwrite = false under [account-manager]. I had the following additional plugins installed but I now removed them all. The response is still the same.
AdvancedTicketWorkflowPlugin-0.11dev-py2.6.egg
Bitten-0.6-py2.6.egg
FootNoteMacro-1.03-py2.6.egg
keywordreplace-0.0.1-py2.6.egg
PDFRedirector-0.3-py2.6.egg
trac_MultiRepoSearchPlugin-0.6-py2.6.egg
TracDragDrop-0.12.0.10-py2.6.egg
TracSQLHelper-0.2.2-py2.6.egg
TracTags-0.7dev-py2.6.egg
> $ curl --data '<?xml
> version="1.0"?><methodCall><methodName>wiki.getPage</methodName><params><param><value><string>SandBox</string></value></param></params></methodCall>'
>
> --header 'Content-Type: text/xml' --digest --user "$user:$password"
> --dump-header - 'http://localhost:8080/login/xmlrpc'
[...]
>
> It seems that the XmlRpcPlugin will return a 200 OK status code even if
> authentication is required.
Actually what (I think that) is happening there is that user
authentication succeeded but Trac did not not detect the REMOTE_USER ,
thus falling back to anonymous login .
I changed the request to use a user "admin", to which I gave TRAC_ADMIN and on top of that XML_RPC permissions. Looking at the output on the console, it really looks like the authentication is not picked up by Trac:
11:59:33 Trac[main] DEBUG: Dispatching <RequestWithSession "POST '/xmlrpc'">
11:59:33 Trac[web_ui] DEBUG: RPC incoming request of content type 'text/xml' dispatched to <tracrpc.xml_rpc.XmlRpcProtocol object at 0x1075dc790>
11:59:33 Trac[web_ui] DEBUG: RPC(XML-RPC) call by 'anonymous'
11:59:33 Trac[xml_rpc] DEBUG: RPC(xml) parse error: no element found: line 1, column 0
11:59:33 Trac[main] DEBUG: Negotiated locale: None -> en_US
11:59:33 Trac[web_ui] ERROR: RPC(XML-RPC) Error
Traceback (most recent call last):
File "build/bdist.macosx-10.8-intel/egg/tracrpc/web_ui.py", line 143, in _rpc_process
rpcreq = req.rpc = protocol.parse_rpc_request(req, content_type)
File "build/bdist.macosx-10.8-intel/egg/tracrpc/xml_rpc.py", line 97, in parse_rpc_request
raise ProtocolException(xmlrpclib.Fault(-32700, to_unicode(e)))
ProtocolException: <Fault -32700: u'no element found: line 1, column 0'>
11:59:33 Trac[main] DEBUG: Dispatching <RequestWithSession "POST '/xmlrpc'">
11:59:33 Trac[web_ui] DEBUG: RPC incoming request of content type 'text/xml' dispatched to <tracrpc.xml_rpc.XmlRpcProtocol object at 0x1075dc790>
11:59:33 Trac[web_ui] DEBUG: RPC(XML-RPC) call by 'anonymous'
11:59:33 Trac[xml_rpc] DEBUG: RPC(xml) call by 'anonymous', method 'wiki.getPage' with args: ('SandBox',)
11:59:33 Trac[perm] DEBUG: No policy allowed anonymous performing XML_RPC on None
11:59:33 Trac[web_ui] ERROR: RPC(XML-RPC) Error
Traceback (most recent call last):
File "build/bdist.macosx-10.8-intel/egg/tracrpc/web_ui.py", line 149, in _rpc_process
req.perm.require('XML_RPC') # Need at least XML_RPC
File "/opt/local/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/site-packages/trac/perm.py", line 579, in require
raise PermissionError(action, resource, self.env)
PermissionError
11:59:33 Trac[main] DEBUG: Negotiated locale: None -> en_US
> Shouldn't it send a different status code so
> curl known that it should send the authentication data to the server?
It should ...
- What's the HTTP server ?
Before your reply, I was using "tracd -s -p 8080 $env" locally. I now use lighttpd/1.4.32 with mod_fastcgi for the tests, which is what we also use on our server. The console output above is what I see when running lighttpd using "lighttpd -D -f lighttpd.conf". lighttpd is not configured to handle any of the authentication.
- Digest auth is enabled , what about anonymous access ?
anonymous has all the *_VIEW permissions it has by default after trac-admin initenv, if you mean that.
* If there's anonymous access to /login/... is forbidden then you'll
get expeted HTTP error status .
When I access http://localhost:8080/login/xmlrpc in by browser after loggin out, I get an an error message telling me that I need XML_RCP permissions to access the page. The page is delivered using a status code of 403. But when I access the same URI using curl, curl sends a POST request and receives a response with a status code of 200.
- Have you tried using an invalid password or non-existent user ?
I did, I get exactly the same response in both cases. But looking at the response headers of the first response, without a WWW-Authenticate header I don't think curl is able to send the authentication data to the server in the seconds request.
Thanks!
Michael
Feuermurmel
Aug 27, 2013, 8:29:15 AM8/27/13
to trac-...@googlegroups.com
On Monday, August 26, 2013 6:16:45 PM UTC+2, olemis wrote:
- Digest auth is enabled , what about anonymous access ?
* If there's anonymous access to /login/... is forbidden then you'll
get expeted HTTP error status .
Is it possible that the authentication work needs to be done by the HTTP server for XmlRpcPlugin to work? I've now tried to set up lighttpd to do digest authentication for any URL that matches "^/login/xmlrpc" and it seems to work. Both curl and using Requests for Python I was able to make a successful XMLRPC request.
Regards
Michael
Olemis Lang
Aug 27, 2013, 12:32:53 PM8/27/13
to trac-...@googlegroups.com
On 8/27/13, Feuermurmel <michi....@gmail.com> wrote:
> On Monday, August 26, 2013 6:16:45 PM UTC+2, olemis wrote:
>>
>> - Digest auth is enabled , what about anonymous access ?
>> * If there's anonymous access to /login/... is forbidden then you'll
>> get expeted HTTP error status .
>>
>
> Is it possible that the authentication work needs to be done by the HTTP
> server for XmlRpcPlugin to work?
>
[...]
> On Monday, August 26, 2013 6:16:45 PM UTC+2, olemis wrote:
>>
>> - Digest auth is enabled , what about anonymous access ?
>> * If there's anonymous access to /login/... is forbidden then you'll
>> get expeted HTTP error status .
>>
>
> Is it possible that the authentication work needs to be done by the HTTP
> server for XmlRpcPlugin to work?
>
Yes , of course . When account manager is deployed somehow you have to
specify that RPC requests will have to be touched by some digest auth
handler . That could be one of
- Server digest auth module ...
- trachacks:HttpAuthPlugin
Indeed I usually set the match for "^/login/.*" but that's up to you
to decide ...
> I've now tried to set up lighttpd to do
> digest authentication for any URL that matches "^/login/xmlrpc" and it
> seems to work. Both curl and using Requests for Python I was able to make a
> successful XMLRPC request.
\o/
Feuermurmel
Sep 16, 2013, 7:57:24 AM9/16/13
to trac-...@googlegroups.com
On Tuesday, August 27, 2013 6:32:53 PM UTC+2, olemis wrote:
On 8/27/13, Feuermurmel <michi....@gmail.com> wrote:
> On Monday, August 26, 2013 6:16:45 PM UTC+2, olemis wrote:
>>
>> - Digest auth is enabled , what about anonymous access ?
>> * If there's anonymous access to /login/... is forbidden then you'll
>> get expeted HTTP error status .
>>
>
> Is it possible that the authentication work needs to be done by the HTTP
> server for XmlRpcPlugin to work?
>
[...]
Yes , of course . When account manager is deployed somehow you have to
specify that RPC requests will have to be touched by some digest auth
handler . That could be one of
- Server digest auth module ...
- trachacks:HttpAuthPlugin
Indeed I usually set the match for "^/login/.*" but that's up to you
to decide ...
Aha! That seemed to have cleared things up a lot for me, thanks! I'll investigate HttpAuthPlugin and, seeing that Python's rpclib doesn't support digest authentication, I'm probably going to switch to SSL + basic authentication anyway.
Regards
Michael
Reply all
Reply to author
Forward
0 new messages