# Communicate and transfer with XML & HTTPS



## Sessa (Dec 21, 2018)

Hi guys,

Currently i search for a solution to establish a connection between my server and an inventory.
I need to establish the connection via https and need to use XML for the transfer from the data itself.

Example:
I need to retrieve some data / information from a database, e.g. B. a version number.

So I call a specific URL.

The XML structure includes the authentication. So the database asked "who are you?" And with the data in the XML, the request can be authenticated. Thus the connection stands (over https) and the transfer / exchange of the data can take place.
So I use https as a way of transferring and using XML to legitimize and share data.

Is that possible, as I imagine?


----------



## Sevendogsbsd (Dec 21, 2018)

Absolutely, this is how SOAP web services works. Unfortunately I only know how to pen test these and generally how they work, not how to set them up. I also would not have the XML data authenticate to the DB - better to have a component on the web server do that. If someone intercepts the XML transmission, they will be able to get your DB creds, which would obviously be a bad thing. Give me a couple of hours and I'll find some links to SOAP web services examples and post them.

Forgot to ask: is the communication between the web server and DB server going out over the Internet or just inside a protected LAN?


----------



## Sessa (Dec 22, 2018)

Alright. 
The communication need to be with https so the data can not intercepts. 
Im absolutly new in this topic so i dont know how to do this. Is curl here an way of solution?


----------



## Sessa (Dec 23, 2018)

Any Idea someone?


----------



## Sevendogsbsd (Dec 23, 2018)

It is my understanding what you are talking about is a web service. Unfortunately to my knowledge, these are coded in Java and are specialized for each use case. I believe you can run a web service in Apache Tomcat but you'd have to code the components in Java yourself, then deploy them. I would not include the authentication to the database  in the XML because despite it being HTTPS, anything in the middle that caches or can capture the traffic will be able to read the password.


----------



## Vull (Dec 23, 2018)

Not sure I understand exactly what you're trying to do here, but I use xmlhttprequest for client/server communications between an apache/php/postgresql server and its client programs running javascript inside web browsers. Basically, the client needs to access bits of database information, but wants to do it without reloading a whole web page into the browser, so it creates xmlhttprequest objects (XHRs) which send the requests, and then wait for the server to respond by returning the information requested. The requests are in the form of HTTPS "POST" or "GET" requests, and the responses can either be in xml format or plain text. The responses don't automatically get loaded into web pages, but rather are returned invisibly and behind the scenes into javascript memory buffers. It's been some years since I first implemented this, but I remember that I relied heavily on w3schools.com for reference. Since that time it appears that w3schools has become sort of ad-heavy so you might wish to find a better reference if you decide to go with XHRs. IIRC this is the same mechanism used by AJAX, JSON, and maybe SOAP (none of which I use myself, but have read a little bit about.) It took some time to get this implemented, but it works well, I still use it, and have used it fairly extensively. 

https://en.wikipedia.org/wiki/XMLHttpRequest

https://www.w3schools.com/xml/xml_http.asp

Hope this helps & good luck with your project.


----------



## shkhln (Dec 24, 2018)

I'm not sure how this is related to FreeBSD administration.



Sessa said:


> Currently i search for a solution to establish a connection between my server and an inventory.



If that is an existing pair of applications then you should look at the documentation for potential solution(s). If you are looking into writing a program, try at least to read up on _something_. For understanding web applications, I vaguely remember Django docs being quite a nice read. (Python is a totally mediocre language though.)


----------



## ruaoh (Dec 24, 2018)

I use cURL with "-o filename.xml" to save the results. 
https://stackoverflow.com/questions/14978411/http-post-and-get-using-curl-in-linux

..and you can add authentication with:
"Authorization: Basic BASE64_ENCODED_CREDENTIALS"


----------

