Modify

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#11518 closed defect (worksforme)

xmlrpc authentication does not work

Reported by: mcdevil@… Owned by: Steffen Hoffmann
Priority: normal Component: XmlRpcPlugin
Severity: normal Keywords:
Cc: Olemis Lang Trac Release: 1.0

Description

Hi, we have installed trac with xmlrpc

We want to use it to connect to the trac instance bye xmlrpc.net

For some reason every call response with error 403 permission denied, user new XML_RPC permission. But username and password are correct.

We use AccountManagerPlugin and Active Directory authentication.

In the case we assign XML_RPC to the anonymous user, things work correct. But not in the case we specially set the permission only to the connecting user.

Trac 1.0 TracAccountManager 0.3.2 TracXMLRPC 1.1.2-r13203

Setting

[account-manager]
environ_auth_overwrite = false

does not change the behavior.

May anyone can help on this issue?

Kind regards, Gernot

Attachments (0)

Change History (4)

comment:1 Changed 3 years ago by Odd Simon Simonsen

Component: XmlRpcPluginAccountManagerPlugin
Owner: changed from Odd Simon Simonsen to Steffen Hoffmann

The problem is simple: XML-RPC.NET client library does not have any idea of how the custom forms-based login of AccountManagerPlugin works. The various general purpose libraries for all languages seem to only support Basic authentication, and sometimes Digest authentication.

Posting custom HTML login forms and storing authentication cookies just isn't done by API clients, so you somehow need something that can challenge the client within its expected capabilities.

From what I can see from the docs it seems AccountManagerPlugin now has gained some feature to do this: See XmlRpcPlugin#ProblemswhenAccountManagerPluginisenabled From your ticket description it seems this setting is already correctly set, so I think the best bet would be to move this ticket there and have others look at the authentication problem.

BTW, you are of course posting your RPC request to login/rpc URL so that Trac will challenge authentication for the request?

Both clients and authentication are really outside the scope of this plugin so there isn't much left that I can do about it. However, by all means update the XmlRpcPlugin documentation if you discover a new problem and/or a new solution to existing problem.

comment:2 in reply to:  1 Changed 3 years ago by Olemis Lang

Replying to osimons:

[...]

Posting custom HTML login forms and storing authentication cookies just isn't done by API clients, so you somehow need something that can challenge the client within its expected capabilities.

e.g. if using Apache web server then enforcing Require valid_user

From what I can see from the docs it seems AccountManagerPlugin now has gained some feature to do this: See XmlRpcPlugin#ProblemswhenAccountManagerPluginisenabled From your ticket description it seems this setting is already correctly set, so I think the best bet would be to move this ticket there and have others look at the authentication problem.

It's still necessary to challenge the client . That option is only aimed at not erasing HTTP auth stored by the web server in REMOTE_USER if available .

BTW, you are of course posting your RPC request to login/rpc URL so that Trac will challenge authentication for the request?

FWIW, valid user rule should be set on /login/* paths relative to environment base path .

[...]

comment:3 Changed 3 years ago by anonymous

Resolution: worksforme
Status: newclosed

Thank you for pushing me into the right direction.

It's up an working now. I've added Basic Authentication (using ldap) for <trac-site>/login/rpc and use this path as connection URL.

Users with permission of XML_RPC can now access the trac instance via xml-rpc.

Best regards, Gernot

comment:4 Changed 3 years ago by Odd Simon Simonsen

Component: AccountManagerPluginXmlRpcPlugin

Goodie.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.