On 1/24/06, Arnab Nandi <arnabdotorg@gmail.com> wrote:
I think you could build a Kerberos module.
The current popular option for most kerb + php set ups I've seen (like one in my univ, which runs horde/imp) is to use standard auth systems to authenticate, and pass on HTTP headers with authentication tokens to the PHP script. Seems to work ok.
-Arnab
From what I've seen Kerberos isn't a simple thing to implement. See: http://web.mit.edu/kerberos/www/dialogue.html which is a good high level overview of the system (and it's still a little confusing).
After reading the Kerberos link above again, it raised an interesting issue about mutual authentication. In terms of the web service, how can the client be sure that it's sending it's crudentials to the right server. Rather than overkilling the solution, in my mod to the xml-rpc system I made it tie into Drupal's authentication using user_authenticate(). So web service authentication isn't much different from logging into the website through user/login. The session key is returned and instead of being passed as a cookie, is passed in the URL. In terms of security this isn't much less secure than regular PHP sessions. The exception is the web server log files. You will probably wind up with a lot of /xmlrpc.php?token={secret}. Not too big of a deal, unless your server gets compromised and somebody steals the keys that are still valid. Mind you, if they have access to your httpd logs, your probably have bigger problems than a few compromised session keys. Also the above would work seamlessly with HTTPS, which would be an easy way protect the data from sniffing. -- blog: http://www.mostlygeek.com