XML.com: XML From the Inside Out
oreilly.comSafari Bookshelf.Conferences.


Internet Scripting: Zope and XML-RPC

January 12, 2000

Related XML.com Articles

Creating XML Applications with Zope (9/15/99)

Backends Sharing Data: Implementing XML-RPC in PHP (8/11/99)

XML-RPC is a simple protocol for sending remote procedure calls over the Internet using XML and HTTP. Zope is an Open Source application server that publishes objects on the Internet. Together they form a simple system of remotely scriptable web objects. Zope provides the web objects and XML-RPC provides a language-neutral communication protocol. This article will demonstrate how to script web objects using XML-RPC with Zope.

Scripting Web Objects

Zope puts objects on the Web and XML-RPC lets you script those objects.

All Zope objects have a URL, and all Zope objects have methods that can be called over the Web. Normally you call methods on Zope objects through your web browser. XML-RPC gives you the power to control your web site programmatically. By using XML-RPC with Zope, your web site literally becomes an application that can service client programs as well as web browsers.

Since XML-RPC is built into Zope, all your Zope objects are XML-RPC-enabled. You don't have to do any extra work to set up your web site. You can use XML-RPC to script your Zope objects using Zope's standard API.

The ability to script remote objects can be very powerful. Since you have access to the full Zope API through XML-RPC, you've got full control. Any action you can perform with the Zope management interface can be programmed with XML-RPC. You can create and edit documents via XML-RPC. You can query and manipulate object properties. You can search Zope. You can call your own custom Zope objects and methods. You can even create new users and control security policies. Plus, XML-RPC is language-independent so you don't have to learn a new language to use it.

An Example

Let's jump right in. Here's how to retrieve the title of the Zope.org web site via XML-RPC in Perl:

use Frontier::Client;
$server = Frontier::Client->new(url => "http://www.zope.org/");
print $server->call('title_or_id'); # prints "Welcome to Zope.org"

Note: to run this example you'll need Ken MacLeod's XML-RPC Perl package.

How does this program work? The program opens an HTTP connection to http://www.zope.org. Then it sends a message encoded in XML that requests the title_or_id method to be called. Zope locates the target object and calls its title_or_id method. Then Zope encodes the response and returns it to the program. Finally, the program decodes the response and prints it.

XML-RPC Protocol

XML-RPC is an extremely simple protocol. It uses XML to encode function calls and responses and sends these messages over HTTP.

In the example above, the Perl program sent this XML message to Zope as the body of an HTTP request.

<?xml version='1.0'?>

This request tells Zope to call the title_or_id method with no arguments. Zope called the method and then returned this response as the body of an HTTP response.

<?xml version='1.0'?>
<value><string>Welcome to Zope.org</string></value>

The response indicates that the method call was successful and that the result was the string, "Welcome to Zope.org".

XML-RPC leverages existing standards to create a basic remote procedure call protocol. This makes XML-RPC simple and appealing.

For a fuller discussion of the XML-RPC protocol, see Backends Sharing Data and the official XML-RPC web site.

XML-RPC Security

XML-RPC provides no security provisions. This may sound like a shortcoming, but in many respects it is an advantage. Since XML-RPC does not mandate any security protocol, Zope's normal security policies work just fine with XML-RPC.

One of Zope's greatest features is its simple and powerful security model. Every public method of a Zope object is protected by a security permission. Zope allows you to flexibly assign permissions to users. Zope authenticates users over HTTP with basic authentication or cookies.

To access protected Zope methods, your XML-RPC client must know how to perform HTTP basic authentication. Not all XML-RPC clients currently support basic authentication. Here's an example of how to extend an XML-RPC client to support basic authentication.


Recently a group of vendors (including Microsoft) announced the creation of the SOAP specification, a distributed objects protocol similar to XML-RPC. Digital Creations, the original developers of Zope, announced that a future version of Zope will support SOAP.

The main differences between SOAP and XML-RPC are that SOAP provides a more complete model for calling methods on remote objects, SOAP is on track to become standardized by the IETF, and SOAP is likely to have greater support in the world of COM and Visual Basic.

We're happy to have Zope speak as many powerful, open protocols as possible. Zope's SOAP support is likely to operate in a manner similar to its XML-RPC support.

XML-RPC Limitations

There are limits to what you can do with XML-RPC and Zope. XML-RPC's marshalling is limited in the kinds of objects it can pass to and from methods. This makes it difficult to call Zope methods that require Zope objects as arguments. XML-RPC's notion of method calling does not allow named method parameters. In addition, most Zope APIs were designed to be called from a web browser or a Zope template. So accomplishing some tasks with XML-RPC may be more awkward than you would like. Fortunately, these problems have solutions in sight.

SOAP should address most of the technical shortcomings of XML-RPC. Additionally, an effort currently underway to overhaul the Zope API to provide a less HTML-centric interface should improve the ease of remote scripting.

Pages: 1, 2, 3

Next Pagearrow