SOAP / RPC Security ?

Hi Torben,
I wonder if security on the TCP/IP interface is a consideration before the final release gets compiled ? I appreciate that you may be looking for small/minor bug reports etc - But perhaps the security side of the remote-interface could be looked at, or at least we can perhaps talk about how it can be locked-down.

If you need to control an external (WAN) PC, you’ll need a port open on the router - and I accept that using a non-standard port would help, some form of security would be wise… Perhaps a password ? Or maybe a list of “mAirList Machines Names” (a new config text-box, like “STUDIO1” or “HITS FM”)…

Just a thought…

The problem is that - despite based on HTTP - SOAP does not support any simple, easy to use authentication model. You need to implement some sort of sessions and provide a special SOAP login service. I won’t be able to implement this for version 2.0.

Do you have a PHP-enabled web server at the remote (mAirList) site? I have just posted an example script in the German Feature Requests forum that demonstrates how to call the SOAP interface from a PHP script. You can then hide the mAirList machine behind the firewall, and your web server can act as a proxy to the command service, employing any authentication method the web server software offers, and forwarding only friendly requests to mAirList.

Torben

PS: Note that the SOAP protocol is broken in 1.5.48, only the proprietary RemObjects BIN interface is working; thus, mAirListCommand does work, but the PHP script does not. Will be fixed in 1.5.49.

How about building a password into the command? It wouldnt be 100% secure but it would be better than nothing? Something like:

BIN AUTOMATION 1 ON AUTH SECURE

mairlist would then simply read the command - check to see if the password ‘secure’ is in the config file, if it is then process the command if not do nothing and maybe log the IP or something?

Just a thought…

Nice idea :slight_smile:

Will be available as of v.49, Syntax is:

AUTH <password> <command>

Example:

AUTH mysecretpassword AUTOMATION 1 NEXT

Consider this a quick hack in order to offer any means of protection in version 2.0. It’s not secure in terms of any sophisticated notion of “security” :wink: Future mAirList releases will offer much better options: multiple users, multiple password backends, fine-grained access control, perhaps encryption …

Torben

Great Torben :smiley:

Cheers!