I’m working on an ajax application that will be embedded in a wordpress page. The ajax app exchanges data with servlets running on tomcat. Now the servlets need a way to determine if a request comes from a user that is logged in to wordpress. And if the user is logged in, the servlets also must be able to determine the users id in order to be able to query the database. If the user is not logged it, the request will be denied.

So in other words, I need to let a servlet perform a request only if the user who caused the request is logged in to wordpress (version 3.3.x). Both, the servlet (tomcat) and wordpress (apache2) run on the same physical machine and share the same database.

In theory this could easily be solved by doing the following:

  1. During wordpress logon, some user token gets stored in a javascript variable.
  2. The ajax app forwards the user token to the servlets on every call.
  3. The servlets use the token to query wordpress if it is valid (i.e. if the user is logged in) and perform or deny the request.

The question is how can this be implemented on the wordpress side?
Because, what makes the theory so complicated is the fact that i have not yet done any php programming.

First I was thinking of transmitting the wordpress_logged_in (auth) cookie to the servlet and let the servlet query wordpress if the auth cookie is still valid. But as it seems, this can’t be done, as wp_validate_auth_cookie() always fails, even if cookie-data of a logged on user is passed.
An other solution could be to develop a plugin that stores the sessionid and userid in a table, which could easily be queried by the servlets.
Or maybe there’s an other solution…

5 s
5

WordPress already has an API built in via an XMLRPC server. Meaning, you can make an XMLRPC request from your java app and verify a username/password. Unfortunately, there’s no way to just authenticate through it as is.

That said, it’s very easy to roll your own. Just hook into xmlrpc_methods, a filter, and add yours. The array key you add with be the xmlrpc method you call from your app, and the value will be the function that gets called by the WordPress XMLRPC server.

<?php
add_filter('xmlrpc_methods', 'wpse39662_add_login_method' );
/**
 * Filters the XMLRPC methods to allow just checking the login/pass of
 * a given users
 */
function wpse39662_add_login_method( $methods )
{
    $methods['wpse39662.login'] = 'wpse39662_check_login';
    return $methods;
}

And the callback function, wpse39662_check_login, would get one argument passed to it, the array of things sent to the XMLRPC server.

<?php
function wpse39662_check_login( $args )
{
    $username = $args[0];
    $password = $args[1];

    $user = wp_authenticate( $username, $password );

    if( is_wp_error( $user ) )
    {
        return false;
    }
    return true;
}

Here’s all that as a plugin. With that installed and XMLRPC enabled on your WP site, you should be able to make requests with some XMLRPC client (I’m sure Java has one).

Here’s the code I used to test the above (Python XMLRPC client).

>>> import xmlrpclib as xmlrpc
>>> s = xmlrpc.ServerProxy('http://wordpress.dev/xmlrpc.php')
>>> s.wpse39662.login('admin', 'password')
True

Leave a Reply

Your email address will not be published. Required fields are marked *