Modify

Opened 9 months ago

Closed 9 months ago

Last modified 9 months ago

#11518 closed defect (worksforme)

xmlrpc authentication does not work

Reported by: mcdevil@… Owned by: hasienda
Priority: normal Component: XmlRpcPlugin
Severity: normal Keywords:
Cc: olemis Trac Release: 1.0

Description

Hi, we have installed trac with xmlrpc

We want to use it to connect to the trac instance bye xmlrpc.net

For some reason every call response with error 403 permission denied, user new XML_RPC permission.
But username and password are correct.

We use AccountManagerPlugin and Active Directory authentication.

In the case we assign XML_RPC to the anonymous user, things work correct. But not in the case we specially set the permission only to the connecting user.

Trac 1.0
TracAccountManager 0.3.2
TracXMLRPC 1.1.2-r13203

Setting

[account-manager]
environ_auth_overwrite = false

does not change the behavior.

May anyone can help on this issue?

Kind regards,
Gernot

Attachments (0)

Change History (4)

comment:1 follow-up: Changed 9 months ago by osimons

  • Component changed from XmlRpcPlugin to AccountManagerPlugin
  • Owner changed from osimons to hasienda

The problem is simple: XML-RPC.NET client library does not have any idea of how the custom forms-based login of AccountManagerPlugin works. The various general purpose libraries for all languages seem to only support Basic authentication, and sometimes Digest authentication.

Posting custom HTML login forms and storing authentication cookies just isn't done by API clients, so you somehow need something that can challenge the client within its expected capabilities.

From what I can see from the docs it seems AccountManagerPlugin now has gained some feature to do this: See XmlRpcPlugin#ProblemswhenAccountManagerPluginisenabled From your ticket description it seems this setting is already correctly set, so I think the best bet would be to move this ticket there and have others look at the authentication problem.

BTW, you are of course posting your RPC request to login/rpc URL so that Trac will challenge authentication for the request?

Both clients and authentication are really outside the scope of this plugin so there isn't much left that I can do about it. However, by all means update the XmlRpcPlugin documentation if you discover a new problem and/or a new solution to existing problem.

comment:2 in reply to: ↑ 1 Changed 9 months ago by olemis

Replying to osimons:

[...]

Posting custom HTML login forms and storing authentication cookies just isn't done by API clients, so you somehow need something that can challenge the client within its expected capabilities.

e.g. if using Apache web server then enforcing Require valid_user

From what I can see from the docs it seems AccountManagerPlugin now has gained some feature to do this: See XmlRpcPlugin#ProblemswhenAccountManagerPluginisenabled From your ticket description it seems this setting is already correctly set, so I think the best bet would be to move this ticket there and have others look at the authentication problem.

It's still necessary to challenge the client . That option is only aimed at not erasing HTTP auth stored by the web server in REMOTE_USER if available .

BTW, you are of course posting your RPC request to login/rpc URL so that Trac will challenge authentication for the request?

FWIW, valid user rule should be set on /login/* paths relative to environment base path .

[...]

comment:3 Changed 9 months ago by anonymous

  • Resolution set to worksforme
  • Status changed from new to closed

Thank you for pushing me into the right direction.

It's up an working now.
I've added Basic Authentication (using ldap) for <trac-site>/login/rpc and use this path as connection URL.

Users with permission of XML_RPC can now access the trac instance via xml-rpc.

Best regards,
Gernot

comment:4 Changed 9 months ago by osimons

  • Component changed from AccountManagerPlugin to XmlRpcPlugin

Goodie.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.