#11518 closed defect (worksforme)
xmlrpc authentication does not work
| Reported by: | Owned by: | Steffen Hoffmann | |
|---|---|---|---|
| Priority: | normal | Component: | XmlRpcPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Olemis Lang | Trac Release: | 1.0 |
Description
Hi, we have installed trac with xmlrpc
We want to use it to connect to the trac instance bye xmlrpc.net
For some reason every call response with error 403 permission denied, user new XML_RPC permission. But username and password are correct.
We use AccountManagerPlugin and Active Directory authentication.
In the case we assign XML_RPC to the anonymous user, things work correct. But not in the case we specially set the permission only to the connecting user.
Trac 1.0 TracAccountManager 0.3.2 TracXMLRPC 1.1.2-r13203
Setting
[account-manager] environ_auth_overwrite = false
does not change the behavior.
May anyone can help on this issue?
Kind regards, Gernot
Attachments (0)
Change History (4)
comment:1 follow-up: 2 Changed 11 years ago by
| Component: | XmlRpcPlugin → AccountManagerPlugin |
|---|---|
| Owner: | changed from osimons to Steffen Hoffmann |
comment:2 Changed 11 years ago by
Replying to osimons:
[...]
Posting custom HTML login forms and storing authentication cookies just isn't done by API clients, so you somehow need something that can challenge the client within its expected capabilities.
e.g. if using Apache web server then enforcing Require valid_user
From what I can see from the docs it seems AccountManagerPlugin now has gained some feature to do this: See XmlRpcPlugin#ProblemswhenAccountManagerPluginisenabled From your ticket description it seems this setting is already correctly set, so I think the best bet would be to move this ticket there and have others look at the authentication problem.
It's still necessary to challenge the client . That option is only aimed at not erasing HTTP auth stored by the web server in REMOTE_USER if available .
BTW, you are of course posting your RPC request to
login/rpcURL so that Trac will challenge authentication for the request?
FWIW, valid user rule should be set on /login/* paths relative to environment base path .
[...]
comment:3 Changed 11 years ago by
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
Thank you for pushing me into the right direction.
It's up an working now. I've added Basic Authentication (using ldap) for <trac-site>/login/rpc and use this path as connection URL.
Users with permission of XML_RPC can now access the trac instance via xml-rpc.
Best regards, Gernot
The problem is simple: XML-RPC.NET client library does not have any idea of how the custom forms-based login of AccountManagerPlugin works. The various general purpose libraries for all languages seem to only support Basic authentication, and sometimes Digest authentication.
Posting custom HTML login forms and storing authentication cookies just isn't done by API clients, so you somehow need something that can challenge the client within its expected capabilities.
From what I can see from the docs it seems AccountManagerPlugin now has gained some feature to do this: See XmlRpcPlugin#ProblemswhenAccountManagerPluginisenabled From your ticket description it seems this setting is already correctly set, so I think the best bet would be to move this ticket there and have others look at the authentication problem.
BTW, you are of course posting your RPC request to
login/rpcURL so that Trac will challenge authentication for the request?Both clients and authentication are really outside the scope of this plugin so there isn't much left that I can do about it. However, by all means update the XmlRpcPlugin documentation if you discover a new problem and/or a new solution to existing problem.