XML RPC Service

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
12
Reply | Threaded
Open this post in threaded view
|

XML RPC Service

Bernhard Donaubauer
Hello,

I think about replacing an old xml-rpc service written in perl with groovy.

There are examples using groovy-xmlrpc like here:
https://gist.github.com/bjfish/370521

But I wonder if this module is still maintained. While I can find the
jar files in the repositories I can't find the according project or sources.

Regards,
Bernhard Donaubauer
Reply | Threaded
Open this post in threaded view
|

Re: XML RPC Service

Jacques Le Roux-2

Hi Bernhard,

Actually XML-RPC is no longer maintained, last fix in 3.1.3 is for

http://www.openwall.com/lists/oss-security/2011/10/05/10

And there are CVEs pending :

https://0ang3el.blogspot.com/2016/07/beware-of-ws-xmlrpc-library-in-your.html

Other TLPs might be affected, I guess Archiva has been picked because being the 1st in alphabetical order...

HTH

Jacques


Le 19/07/2018 à 17:25, Bernhard Donaubauer a écrit :
Hello,

I think about replacing an old xml-rpc service written in perl with groovy.

There are examples using groovy-xmlrpc like here:
https://gist.github.com/bjfish/370521

But I wonder if this module is still maintained. While I can find the
jar files in the repositories I can't find the according project or sources.

Regards,
Bernhard Donaubauer



  



	
	
	
	
Reply | Threaded
Open this post in threaded view
|

Re: XML RPC Service

Jacques Le Roux-2
Wait I was too fast, I did not notice it was only about org.codehaus.groovy:groovy-xmlrpc (and not Java Apache XML-RPC)
Hopefully it's not affected by the same security issues, I don't know and would be interested about that...

Thanks

Jacques

Le 21/07/2018 à 16:50, Jacques Le Roux a écrit :

Hi Bernhard,

Actually XML-RPC is no longer maintained, last fix in 3.1.3 is for

http://www.openwall.com/lists/oss-security/2011/10/05/10

And there are CVEs pending :

https://0ang3el.blogspot.com/2016/07/beware-of-ws-xmlrpc-library-in-your.html

Other TLPs might be affected, I guess Archiva has been picked because being the 1st in alphabetical order...

HTH

Jacques


Le 19/07/2018 à 17:25, Bernhard Donaubauer a écrit :
Hello,

I think about replacing an old xml-rpc service written in perl with groovy.

There are examples using groovy-xmlrpc like here:
https://gist.github.com/bjfish/370521

But I wonder if this module is still maintained. While I can find the
jar files in the repositories I can't find the according project or sources.

Regards,
Bernhard Donaubauer




  



	
	
	
	
Reply | Threaded
Open this post in threaded view
|

Re: XML RPC Service

Russel Winder-3
In reply to this post by Jacques Le Roux-2
I suspect XML-RPC is pure legacy. It evolved into SOAP and that is pure
legacy.

All the Web Services folk I know are now using RESTful HTTP/HTTPS
microservices.

On Sat, 2018-07-21 at 16:50 +0200, Jacques Le Roux wrote:

> Hi Bernhard,
>
> Actually XML-RPC is no longer maintained, last fix in3.1.3 is for
>
> http://www.openwall.com/lists/oss-security/2011/10/05/10
>
> And there are CVEs pending :
>
> https://0ang3el.blogspot.com/2016/07/beware-of-ws-xmlrpc-library-in-y
> our.html
>
> Other TLPs might be affected, I guess Archiva has been picked because
> being the 1st in alphabetical order...
>
> HTH
>
> Jacques
>
>
> Le 19/07/2018 à 17:25, Bernhard Donaubauer a écrit :
> > Hello,
> >
> > I think about replacing an old xml-rpc service written in perl with
> > groovy.
> >
> > There are examples using groovy-xmlrpc like here:
> > https://gist.github.com/bjfish/370521
> >
> > But I wonder if this module is still maintained. While I can find
> > the
> > jar files in the repositories I can't find the according project or
> > sources.
> >
> > Regards,
> > Bernhard Donaubauer
> >
>
>
--
Russel.
===========================================
Dr Russel Winder      t: +44 20 7585 2200
41 Buckmaster Road    m: +44 7770 465 077
London SW11 1EN, UK   w: www.russel.org.uk

signature.asc (849 bytes) Download Attachment
MG
Reply | Threaded
Open this post in threaded view
|

Re: XML RPC Service

MG
I have no personal experience with either XML-RPC, SOAP or REST (DB Developer, Web-GUI needs covered by Vaadin), but this guy expresses a different (seemingly pragmatic) opinion (and he is using Groovy ;-) ):
https://sites.google.com/a/athaydes.com/renato-athaydes/posts/thereturnofrpc-orhowrestisnolongertheonlyrespectablesolutionforapis

(Generally speaking, in modern software development especially the web development domain to me seems to suffer from an overabundance of "this is the absolute right way to do things !" - until a newer/hipper/... (or simply different ?-) ) approach comes along the next year...; I mean I am not saying there is no improvement in some areas, but it took the web guys how many decades to rediscover configurable, encapsulated GUI components as a general concept ?-) )

Cheers,
mg


On 24.07.2018 12:33, Russel Winder wrote:
I suspect XML-RPC is pure legacy. It evolved into SOAP and that is pure
legacy.

All the Web Services folk I know are now using RESTful HTTP/HTTPS 
microservices.

On Sat, 2018-07-21 at 16:50 +0200, Jacques Le Roux wrote:
Hi Bernhard,

Actually XML-RPC is no longer maintained, last fix in3.1.3 is for

http://www.openwall.com/lists/oss-security/2011/10/05/10

And there are CVEs pending :

https://0ang3el.blogspot.com/2016/07/beware-of-ws-xmlrpc-library-in-y
our.html

Other TLPs might be affected, I guess Archiva has been picked because
being the 1st in alphabetical order...

HTH

Jacques


Le 19/07/2018 à 17:25, Bernhard Donaubauer a écrit :
Hello,

I think about replacing an old xml-rpc service written in perl with
groovy.

There are examples using groovy-xmlrpc like here:
https://gist.github.com/bjfish/370521

But I wonder if this module is still maintained. While I can find
the
jar files in the repositories I can't find the according project or
sources.

Regards,
Bernhard Donaubauer



MG
Reply | Threaded
Open this post in threaded view
|

Re: XML RPC Service

MG
In reply to this post by Bernhard Donaubauer
This Java lib also looks interesting, since it seems quite compact and
explicitely mentions support for asynchronous calls (if you need that),
which looks like it would lend itself nicely to be wrapped in some
Groovy goodness (see below):
https://github.com/gturri/aXMLRPC

What we have found is, that oftentimes the best approach - if something
is not covered by the core Groovy libraries already - is to pick the
best/supported/maintained Java library, and develop your own Groovy
wrapper as you go along. This is what we did with Vaadin (works like a
charm), and are now planning to do for Apache LDAP. I usually use a
static Groovy class for low level function-type support, and add
configurable instance helper classes as needed. It does not take much
effort to write these on the go, and you can use the newest Groovy
features (many older Groovy based libraries are quite dynamic in nature
I have found; if you are coming from Perl you might not mind, but coming
from a C/C++/Java background myself I prefer as much static type safety
as I can get - and modern Groovy (combined with a good IDE with Groovy
support (I use IntelliJ myself, but the Eclipse Groovy supprt recently
got a major update afaik) delivers on that, with @CompileStatic,
@Delegate/traits, final fields support in ctors, etc)).

Cheers,
mg


On 19.07.2018 17:25, Bernhard Donaubauer wrote:

> Hello,
>
> I think about replacing an old xml-rpc service written in perl with groovy.
>
> There are examples using groovy-xmlrpc like here:
> https://gist.github.com/bjfish/370521
>
> But I wonder if this module is still maintained. While I can find the
> jar files in the repositories I can't find the according project or sources.
>
> Regards,
> Bernhard Donaubauer
>

Reply | Threaded
Open this post in threaded view
|

Re: XML RPC Service

Russel Winder-3
In reply to this post by MG
On Wed, 2018-07-25 at 21:53 +0200, MG wrote:
> I have no personal experience with either XML-RPC, SOAP or REST (DB
> Developer, Web-GUI needs covered by Vaadin), but this guy expresses
> a
> different (seemingly pragmatic) opinion (and he is using Groovy ;-)
> ):
> https://sites.google.com/a/athaydes.com/renato-athaydes/posts/theretu
> rnofrpc-orhowrestisnolongertheonlyrespectablesolutionforapis

He also does a lot of Ceylon work, but that is a for a different
thread.

> (Generally speaking, in modern software development especially the
> web
> development domain to me seems to suffer from an overabundance of
> "this
> is the /absolute /right way to do things !" - until a
> newer/hipper/...
> (or simply different ?-) ) approach comes along the next year...; I
> mean
> I am not saying there is no improvement in some areas, but it took
> the
> web guys how many decades to rediscover configurable, encapsulated
> GUI
> components as a general concept ?-) )
Everything in software development is tribal and fashion driven,
sometimes a fashion leads to a genuine intellectual improvement.

In a sense RPC over HTTP and RESTful Web Service are isomorphic.
However, RESTful Web Services is an HTTP solution to an HTTP transport
problem. Obviously it was new and shiny and therefore fashionable and
it caught on because of that and the microservices movement. However it
has a consistency that is appealing, and for me a genuine move forward.

Yes there is gRPC and protobufs, I simply forget to mention them in
trying to describe modern orthodoxy in Web Services – mostly I suspect
because I do not actually use it at all. Renato confirms in his article
that RESTful is the current orthodoxy.

It is interesting that Renato ignores SOAP and returns to XML-RPC.  As
for his code, HandlerAPI should be extracted so that both client and
server guarantee the same interface. Also interesting that the code
doesn't deal with XML, it is entirely hidden. So much so that JSON-RPC
is effectively a drop in replacement. This will raise the XML vs. JSON
argument which is another "safe technology" vs "cool kids" debate the
outcome of which hinges totally on whether there is a schema of the
packets.

So in the end Renato's code (amended) gives a Java solution, which
immediately means there is a Groovy solution, to the problem of
replacing the Perl, and there is no need for a special Groovy package.
 
--
Russel.
===========================================
Dr Russel Winder      t: +44 20 7585 2200
41 Buckmaster Road    m: +44 7770 465 077
London SW11 1EN, UK   w: www.russel.org.uk

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: XML RPC Service

Jacques Le Roux-2
Le 26/07/2018 à 11:19, Russel Winder a écrit :

> On Wed, 2018-07-25 at 21:53 +0200, MG wrote:
>> I have no personal experience with either XML-RPC, SOAP or REST (DB
>> Developer, Web-GUI needs covered by Vaadin), but this guy expresses
>> a
>> different (seemingly pragmatic) opinion (and he is using Groovy ;-)
>> ):
>> https://sites.google.com/a/athaydes.com/renato-athaydes/posts/theretu
>> rnofrpc-orhowrestisnolongertheonlyrespectablesolutionforapis
> He also does a lot of Ceylon work, but that is a for a different
> thread.
>
>> (Generally speaking, in modern software development especially the
>> web
>> development domain to me seems to suffer from an overabundance of
>> "this
>> is the /absolute /right way to do things !" - until a
>> newer/hipper/...
>> (or simply different ?-) ) approach comes along the next year...; I
>> mean
>> I am not saying there is no improvement in some areas, but it took
>> the
>> web guys how many decades to rediscover configurable, encapsulated
>> GUI
>> components as a general concept ?-) )
> Everything in software development is tribal and fashion driven,
> sometimes a fashion leads to a genuine intellectual improvement.
>
> In a sense RPC over HTTP and RESTful Web Service are isomorphic.
> However, RESTful Web Services is an HTTP solution to an HTTP transport
> problem. Obviously it was new and shiny and therefore fashionable and
> it caught on because of that and the microservices movement. However it
> has a consistency that is appealing, and for me a genuine move forward.
>
> Yes there is gRPC and protobufs, I simply forget to mention them in
> trying to describe modern orthodoxy in Web Services – mostly I suspect
> because I do not actually use it at all. Renato confirms in his article
> that RESTful is the current orthodoxy.
>
> It is interesting that Renato ignores SOAP and returns to XML-RPC.  As
> for his code, HandlerAPI should be extracted so that both client and
> server guarantee the same interface. Also interesting that the code
> doesn't deal with XML, it is entirely hidden. So much so that JSON-RPC
> is effectively a drop in replacement. This will raise the XML vs. JSON
> argument which is another "safe technology" vs "cool kids" debate the
> outcome of which hinges totally on whether there is a schema of the
> packets.
>
> So in the end Renato's code (amended) gives a Java solution, which
> immediately means there is a Groovy solution, to the problem of
> replacing the Perl, and there is no need for a special Groovy package.
>    
I also read that (eg) medical data transfers still use SOAP (instead of REST) because of the complete confidentiality it guarantees.

Not sure it's totally right, but I know SOAP is secure when using WS-Security[1]

Jacques
[1] https://stackoverflow.com/questions/853620/secure-web-services-rest-over-https-vs-soap-ws-security-which-is-better

Reply | Threaded
Open this post in threaded view
|

Re: XML RPC Service

Russel Winder-3
On Fri, 2018-07-27 at 13:26 +0200, Jacques Le Roux wrote:
> […]
>
> I also read that (eg) medical data transfers still use SOAP (instead
> of REST) because of the complete confidentiality it guarantees.
>
[…]

I am not sure which medical IT systems you are thinking of but the UK
NHS systems are still founded on the idea that Windows-XP is standard
and good.

--
Russel.
===========================================
Dr Russel Winder      t: +44 20 7585 2200
41 Buckmaster Road    m: +44 7770 465 077
London SW11 1EN, UK   w: www.russel.org.uk

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: XML RPC Service

Jacques Le Roux-2
Le 27/07/2018 à 14:06, Russel Winder a écrit :

> On Fri, 2018-07-27 at 13:26 +0200, Jacques Le Roux wrote:
>> […]
>>
>> I also read that (eg) medical data transfers still use SOAP (instead
>> of REST) because of the complete confidentiality it guarantees.
>>
> […]
>
> I am not sure which medical IT systems you are thinking of but the UK
> NHS systems are still founded on the idea that Windows-XP is standard
> and good.
>
Sincerely I can't remember where I read that. If memory serves, it was a French article. The stackoverflow link on WS-Security  I provided I think
explains the basic reasons.

Maybe REST has improved in this way, I'm not aware of it.

I'll not comment on Windows-XP :D

Jacques
12