I’m trying to build a client-server application and it seems that DRb is
a really nice way of doing this. The problem is that there doesn’t seem
to be any good way of actually locking down DRb if the service is
published on a publicly accessible port.
I have tried this:
Create a web service which accepts a username/password. A call hands
back a token (valid for 30 seconds) and adds the callers IP address to
the ACL for DRb. The caller must attach to DRb and present the token
within the 30 seconds or the ACL is reset and the token expires. I am
prepared to trust people with a valid login not to be running code which
will mangle the server.
The above seems to be a good way of securing the service, but soap4r has
(a) It hangs the client for 30 seconds after use when I try to start a
GTk thread. Weird!
(b) It doesn’t work in Ruby 1.9,
So, should I look into a less buggy (and more compatible) web service or
is there a way of setting up DRb on its own in such a way that
malevolent users can be screened? Or, can someone suggest a better way
of managing this?