The Smell of XML-RPC is in the Air

Sunday, 2006-09-03; 04:52:00


A solution to the previous two problems, and yet another problem crops up

Guh! I can smell victory.. it is within my reach! But I still have a small problem.

Peter kindly figured out how to escape special words in AppleScript, and I had even provided the link for him to figure it out! To escape a reserved word in AppleScript, you need to surround it by two pipe characters -- shift-backslash. So to stop "visible" from turning into "pvis", I just needed to change it to "|visible|" instead. Simple enough, if a little weird. Yay!

The second problem was going to be harder. I obviously couldn't sniff the packets since they were encrypted, as they were using the HTTPS protocol. But, given that iWeb has to know to where to connect to authenticate, it standed to reason that the URL would be contained somewhere within the code of iWeb.

In the packet dumps of the previous entry, you can see that the user agent URL is DotMacKit. This is a special framework that's provided with iWeb and is contained within the application package. I revealed the contents of iWeb and browsed to the executable of the DotMacKit framework and opened it up in TextEdit. Since previous calls were being made using XML-RPC, I did a quick search for the string "xmlrpc". And immediately this popped out at me:

Dot Mac Kit Code

This seemed to indicate some sort of authentication session happening at the URL https://www.mac.com/WebObjects/Info.woa/wa/XMLRPC/accountInfo . The troubling thing was that it seemed to require three parameters, not two. For authentication, two seems more reasonable: a username and a password. What would the third parameter be? Not only that, but when making a call to that application with something for the three parameters continually returned a blank result, instead of an error. Of course, "accountInfo" isn't exactly synonymous with "authenticate".

So that kind of led to a dead end. On a hunch, I searched for "comment.setCommentPropertiesForResources", which came up with this:

Dot Mac Kit Code

As you can see, this seems to indicate all the methods to which the XML-RPC application WSComments.woa responds. And one of them is "comment.authenticate"! That sounds more promising.

And so this AppleScript:

tell application "https://www.mac.com/WebObjects/WSComments.woa/xmlrpc"
        call xmlrpc {method name:"comment.authenticate", parameters:{"simx", "noyoumaynothavemypassword"}}
end tell


seems to correctly authenticate using my .mac account's user/pass combination! There are a number of ways to confirm this -- sending an incorrect password brings back an "org.apache.xmlrpc.XmlRpcException: Invalid username or password" error. The result of sending the correct username and password is also a "true" value, indicating success.

The only problem is, even after authenticating, I'm still getting that "org.apache.xmlrpc.XmlRpcException: Session not found. Re-authenticate" error when trying to call other methods for the WSComments.woa application. Argh!

Looking back at the previous packet dumps, it looks like they have a cookie associated with them, which might be what the WSComments.woa application is looking for. I figured that maybe AppleScript was using some non-standard way of communicating using XML-RPC and therefore wasn't keeping a cookie from the call that authenticates, but I constructed a Cocoa application to make the XML-RPC calls and that's still giving me the same error. (See Ranchero for a simple tutorial on creating Cocoa XML-RPC requests.)

So.. that's where I'm at right now. Anybody know how to preserve the authentication in subsequent XML-RPC calls? This seems to be the last hurdle.


Technological Supernova   Tips   Older   Newer   Post a Comment