Securing Xindice XML-RPC Server With Basic Authentication
Xindice XML-RPC server, and Xindice XML-RPC driver both support HTTP Basic Authentication (starting with 1.1b4 development version). To implement basic authentication of your server, you have to do the following:
- Configure users and roles in the servlet engine
- Configure Xindice XML-RPC Server
- Configure Xindice XML-RPC Driver (Client side)
Configure users and roles in the servlet engine
Xindice XML-RPC server is deployed as web application on top of the servlet engine, so first servlet engine should be configured to support authentication. This configuration is servlet engine dependent, and for Jetty consists from the following steps:
- Add / edit / verify users and roles in realm.properties file (see tools/jetty/conf/realm.properties)
# This is a HashUserRealm defining users passwords and roles. # The format is # <username>: <password>[,<rolename> ...] # # Passwords may be clear text, obfuscated or checksummed. The class # org.mortbay.util.Password should be used to generate obfuscated # passwords or password checksums xindice: manager, xindice
This creates user xindice with role xindice and password manager.
2. Edit / verify main.xml file (see tools/jetty/conf/main.xml)
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<!-- Add and configure "xindice" user realm -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<Call name="addRealm">
<Arg>
<New class="org.mortbay.http.HashUserRealm">
<Arg>xindice</Arg>
<Arg><SystemProperty name="xindice.home" default="."/>/tools/jetty/conf/realm.properties</Arg>
<Set name="Name">xindice</Set>
</New>
</Arg>
</Call>
Configure Xindice XML-RPC Server
This consists of editing web.xml file (see config/web.xml) and specifying role name for the Xindice server web application:
<!--
- Security constraint on the Xindice WebApp allows to protect
- Xindice XML-RPC server with Basic HTTP Authentication.
-
- In addition to this configuration, servlet engine should have
- "xindice" realm configuration. For Jetty config, see tools/jetty/main.xml
-
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Xindice Server</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>xindice</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>xindice</realm-name>
</login-config>
<security-role>
<role-name>xindice</role-name>
</security-role>
Configure Xindice XML-RPC Driver (Client side)
Xindice XML-RPC driver should be configured to know the username and password it should use to access the server. This can be done with system properties.
-Dxindice.xmlrpc.user=xindice -Dxindice.xmlrpc.password=manager
In particular, you can add these arguments to the file $TOMCAT_HOME/webapps/xindice/WEB-INF/xindice.sh, on the line that begins with $JAVACMD. For example, (edited for brevity)
$JAVACMD ... -Dxindice.xmlrpc.user=xindice -Dxindice.xmlrpc.password=manager -classpath "$CP" org.apache.xindice.tools.XMLTools $*
Or programmatically:
String driver = "org.apache.xindice.client.xmldb.DatabaseImpl";
Class c = Class.forName(driver);
Database database = (Database)c.newInstance();
// In 1.1b5, use constants:
// DatabaseImpl.PROP_XMLRPC_USER
// DatabaseImpl.PROP_XMLRPC_PASSWORD
database.setProperty("xmlrpc-user", "xindice");
database.setProperty("xmlrpc-password", "manager");
DatabaseManager.registerDatabase(database);
String uri = "xmldb:xindice://localhost:8080/db";
Collection col = DatabaseManager.getCollection(uri);
[Note: Above should work with xindice-1.1b4; if it does not, try pulling xindice-1.1b5 from source and building that. Make sure that you have the latest required .jar files in the classpath of your application or jre/lib/endorsed directory - it will not work with old Xindice client library.]