Hi ! I would like to implement some authentication mechanism on top of an existing nevow site using HTTP basic auth for a web services. I have looked at guard.py from nevow but is seems to be far more complex and I don't quite understand if it uses HTTP basic auth. I am not interested in setting up sessions or other stateful mechanisms. Since authorization may be required for POST or something like that, I would like to stick to simple HTTP auth basic since simple clients may not handle correctly redirection on POST. twisted.web2 authentication seems to be a good start, but I am using Nevow. Has someone already done a HTTP basic auth with nevow? In fact, my case is very similar to the one here: http://twistedmatrix.com/pipermail/twisted-web/2007-January/003270.html But, as I said, Nevow's guard.py seems best suited for web app authentication, not for web services. Can anyone confirm/infirm? Should I look into twisted.web2 and hack authentication from it to Nevow? Thanks.
On 08/01/2008 11:49 Vincent Bernat wrote:
twisted.web2 authentication seems to be a good start, but I am using Nevow. Has someone already done a HTTP basic auth with nevow? In fact, my case is very similar to the one here: http://twistedmatrix.com/pipermail/twisted-web/2007-January/003270.html
But, as I said, Nevow's guard.py seems best suited for web app authentication, not for web services. Can anyone confirm/infirm?
Guard is for web based applications authentication, yes. If you're doing something other than this, you probably do want HTTP auth. Doing HTTP authentication yourself for a web service should be as simple as returning a 403 error until you get a positive authentication. There may be some implementations around for doing this as a resource using t.cred. Digging through some of my older work with t.w turned up the following (obviously extinct and horrific code, but shows what you're looking for) class Page(object): def authenticateUser(self, request, passinfo): user, password = request.getUser(), md5.md5(request.getPassword()).digest() if user==passinfo['username'] and password==passinfo['password']: return True return False def render(self,request, realm, passinfo): if self.authenticateUser(request, passinfo): return self.documentRender(self, request) else: request.setResponseCode(http.UNAUTHORIZED) request.setHeader('WWW-authenticate', 'basic realm="%s"' % realm) return BaseResources.ErrorAuth().render() -- Colin Alston ~ http://www.karnaugh.za.net/ "To the world you may be one person, to one person you may be the world" ~ Rachel Ann Nunes.
Colin Alston wrote:
class Page(object): def authenticateUser(self, request, passinfo): user, password = request.getUser(), md5.md5(request.getPassword()).digest()
FWIW, the nevow version is about the same: class MyPage(athena.LivePage or rend.Page): def renderHTTP(self, ctx): request = inevow.IRequest(ctx) username, password = request.getUser(), request.getPassword() if self.useAuth and (username, password) == (x, y): secure.info("rendering page because http auth is set") return rend.Page.renderHTTP(self, ctx) else: request.setHeader('WWW-Authenticate', 'Basic realm="topsecret"') request.setResponseCode(http.UNAUTHORIZED) return "Authentication required."
participants (3)
-
Colin Alston -
Drew Perttula -
Vincent Bernat