[Opensim-dev] Problem with User server in grid mode retrieving User Profile
Impalah
impalah at gmail.com
Fri Nov 21 09:56:36 UTC 2008
Ok, I've been reviewing the code and think that there isn't any way to
authenticate an user from a service published on Opensim.exe (grid mode); I
suposse will be the same to other servers. User server does not provide
methods for authetication.
I pretend something like that:
- I have an Opensim(mono) plugin, managed from Opensim.exe.
- In the initialization I publish a service in the xmlrpc server (is exactly
the way RemoteController does)
m_httpd.AddXmlRPCHandler("execute_command",
XmlRpcExecuteCommandMethod, false);
- I receive username/lastname and password in the xmlrpc request; the
command XmlRpcExecuteCommandMethod is executed.
And now, the problem: I have access to OpenSimBase, which allows me to
access to communicationsManager, and from here to any server, but I can't
find any method in user server to auth.
LoginServer.cs has the public method AuthenticateUser(UserProfileData
profile, string password) which only returns a boolean but it isn't
published in the UserServer for remote authentication.
If you are asking why the hell I could need this thing... the answer is
simple: I'm improving the RemoteAdmin service, which I need to my Henshin
(autocad to sl/opensim importer) tool. I want to provide a secure plugin for
opensim users who want to use this tool (me, for example). The improvement
is simple: I have included a Facade and a Command Factory pattern which will
allow anyone to create "admin" plugins accesible from xmlrpc and are
isolated from the "opensim engine" (if one core method changes, only some
commands will be affected and not the whole system)
I could have used libopenmv, but I prefer a "native" solution and not to use
hacks.
I'm not a security expert so if anyone can tell me which security
implications could have this way to "remote authenticate"...
Greetings
2008/11/21 Frisby, Adam <adam at deepthink.com.au>
> Uhh it should be salted.
>
>
>
> There's a passwordSalt field for a reason.
>
>
>
> Adam
>
>
>
> *From:* opensim-dev-bounces at lists.berlios.de [mailto:
> opensim-dev-bounces at lists.berlios.de] *On Behalf Of *Alan M Webb
> *Sent:* Thursday, 20 November 2008 4:14 PM
> *To:* opensim-dev at lists.berlios.de
> *Subject:* Re: [Opensim-dev] Problem with User server in grid mode
> retrieving User Profile
>
>
>
>
> I believe it exports a service which you can pass the login data you
> received and get an authentication response (true or false). I don't have my
> system up at the moment, so I can't check the details. OpenSim doesn't
> actually use any salt when it stores the password, so that makes it easier
> to handle.
>
> You need one of the grid owners to respond, I use stand-alone pretty much
> exclusively.
>
> Best regards
> Alan
> -------------------
> T.J. Watson Research Center, Hawthorne, NY
> 1-914-784-7286
> alan_webb at us.ibm.com
>
> From:
>
> Impalah <impalah at gmail.com>
>
> To:
>
> opensim-dev at lists.berlios.de
>
> Date:
>
> 11/20/2008 06:32 PM
>
> Subject:
>
> Re: [Opensim-dev] Problem with User server in grid mode retrieving
> User Profile
>
>
> ------------------------------
>
>
>
>
> Damn!!!
>
> Then, is there another "clean" way to authenticate an user when using
> xmlrpc calls? (like RemoteAdmin does).
>
> The dirty trick of setting a "master" password in opensim.ini is quite...
> well if I had a "commercial" grid the idea of delivering an unique password
> to everyone who wants to use some services will make me sweat... :-(
>
> Thanks for the quick response, Alan
>
>
>
> 2008/11/21 Alan M Webb <alan_webb at us.ibm.com>
>
> Yes, I stumbled over the same thing too. What I discovered (well actually
> Mic Bowman or John Hurliman): For security reasons, the user server
> suppresses password information in remote requests for user profile
> information. This is deliberate and necessary to preserve the fragile shreds
> of security we currently have.
>
> Best regards
> Alan
> -------------------
> T.J. Watson Research Center, Hawthorne, NY
> 1-914-784-7286*
> *alan_webb at us.ibm.com
>
> From:
>
> Impalah <impalah at gmail.com>
>
> To:
>
> opensim-dev at lists.berlios.de
>
> Date:
>
> 11/20/2008 06:13 PM
>
> Subject:
>
> [Opensim-dev] Problem with User server in grid mode retrieving User
> Profile
>
>
> ------------------------------
>
>
>
>
>
> Hi:
>
> I'm having a strange problem retrieving user profiles only in GRID mode
> (standalone works ok): the field PasswordHash (I need this field to do a
> xmlrpc authentication) is empty.
>
> I'm using version 0.6, I can't remember the svn release, it's from 1 week
> ago, Windows XP SP3, Net 2.0 and Mysql.
>
> I couldn't find any issue in Mantis so my question is: is this a feature
> for grid mode or something similar?
>
> The code in MySQLUserData.cs is the same for both modes and couldn't find
> any "strange" line in User Server code:
>
> IDbCommand result = dbm.Manager.Query("SELECT * FROM " + m_agentsTableName
> + " WHERE UUID = ?uuid",
> param);
>
>
> Any idea?
>
> Greetings
> _______________________________________________
> Opensim-dev mailing list*
> *Opensim-dev at lists.berlios.de*
> *https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>
>
> _______________________________________________
> Opensim-dev mailing list*
> *Opensim-dev at lists.berlios.de*
> *https://lists.berlios.de/mailman/listinfo/opensim-dev
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20081121/036bc0b7/attachment-0001.html>
More information about the Opensim-dev
mailing list